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Abstract 

In this work, we consider the long-standing open question of constructing constant-round 
concurrent zero-knowledge protocols in the plain model. Resolving this question is known to 
require non-black-box techniques. 

We consider non-black-box techniques for zero-knowledge based on knowledge assumptions, 
a line of thinking initiated by the work of Hada and Tanaka (CRYPTO 1998). Prior to our work, 
it was not known whether knowledge assumptions could be used for achieving security in the 
concurrent setting, due to a number of significant limitations that we discuss here. Nevertheless, 
we obtain the following results: 

1. We obtain the first constant round concurrent zero-knowledge argument for NP in the 
plain model based on a new variant of knowledge of exponent assumption. Furthermore, 
our construction avoids the inefficiency inherent in previous non-black-box techniques such 
that those of Barak (FOCS 2001); we obtain our result through an efficient protocol 
compiler. 

2. Unlike Hada and Tanaka, we do not require a knowledge assumption to argue the soundness 
of our protocol. Instead, we use a discrete log like assumption, which we call Diffie-Hellman 
Logarithm Assumption, to prove the soundness of our protocol. 

3. We give evidence that our new variant of knowledge of exponent assumption is in fact 
plausible. In particular, we show that our assumption holds in the generic group model. 

4. Knowledge assumptions are especially delicate assumptions whose plausibility may be hard 
to gauge. We give a novel framework to express knowledge assumptions in a more flexible 
way, which may allow for formulation of plausible assumptions and exploration of their 
impact and application in cryptography. 

Keywords. Concurrent Zero-Knowledge, Knowledge Assumptions, Non-Black-Box Tech- 
niques 



1 Introduction 



Zero-knowledge proofs GMR89 arc fundamental and important tools in the design of crypto- 
graphic protocols. The original setting of zero-knowledge proofs contemplated a single prover 
and a single verifier executing a single protocol session in isolation. Concurrent zero-knowledge |DNS98j 
(cZK.) extends zero-knowledge to concurrent settings, where several protocol sessions are exe- 
cuted at the same time involving multiple provers and verifiers. Resolving the round complexity 
of concurrent zero-knowledge protocols has been a long standing open problem. There have 
been several negative results which give lower bounds for round complexity of black box sim- 
ulation of cZJC |KPR98[ iRosOO. CKPROlj. The best result, which uses black box simulation, 
has w(logn) round complexity |PRS02j . where n is the security parameter. This nearly matches 
the best known lower bound for black box simulation CKPROl], which states that any black- 
box concurrent zero-knowledge protocol must require at least f2(logn) rounds. Hence, our only 
hope of achieving constant round cZK, lies in non-black-box simulation. In his seminal work, 
Barak [BarOlj introduced the first non-black-box simulation technique, but this technique or its 
variants have not yet yielded a concurrent zero-knowledge protocol with lower round complexity 
than the work of [PRS02] . Indeed, Barak explicitly posed the problem of constructing constant- 
round concurrent zero- knowledge arguments as "an important open question" jBarOlj . Despite 
many attempts in this direction, this is still a long-standing open problem in cryptography. 

In this work, we consider whether non-black-box techniques based on knowledge assumptions 
can be applied to achieve constant round concurrent zero-knowledge protocols. We answer this 
question affirmatively, by giving the first constant-round concurrent zero-knowledge protocol 
based on a knowledge assumption, which is a novel variant of the knowledge of exponent as- 
sumption first introduced by Damgard |Dam91) and used by Hada and Tanaka |HT98j in the 
context of ordinary zero-knowledge protocols. 

Furthermore, our techniques allow us to avoid the inefficiency inherent in previous non-black- 
box techniques, such as those of Barak [BarOl . Indeed, we obtain our result by providing an 
efficient transformation from constant round stand alone protocols to constant round concur- 
rently secure zero-knowledge protocols. 

Recently, there has been an explosion of interest in knowledge assumptions. Knowledge 
assumptions became popular when these were applied to the construction of three round zero- 
knowledge arguments by |HT98j . This has led to a number of interesting research papers 
applying knowledge assumptions to a variety of different contexts |BP041 IAF071 ICD081 ICL081 
IUD091 IPX091 IIKOS101 IGrolOl IGKR101 IGLRlll IBCCT121 IDFH12) . Prior to our work, to the 
best of our knowledge, knowledge assumptions have not been applied successfully to achieve 
concurrent security. As we explore below, this is because of a number of complications which 
arise when one applies knowledge assumptions to concurrent settings. 

Our Contributions: We show the following: 

1. We obtain the first constant round concurrent zero-knowledge argument for NP in plain 
model based on a new variant of knowledge of exponent assumption. Our compiler to 
get concurrently secure protocol is efficient and avoids the inefficiency inherent in other 
non-black-box techniques. 

2. Unlike Hada and Tanaka |HT98| , we do not require a knowledge assumption to argue the 
soundness of our protocol. Instead, we use a discrete log like assumption, which we call 
DHL A (See Section l3~Tj) . to prove the soundness of our protocol. 

3. We give evidence that our new variant of knowledge of exponent assumption is in fact 
plausible. In particular, we show that our assumption holds in the generic group model. 

4. As we discuss in greater detail below, and as has been discussed throughout the history 
of knowledge assumptions in cryptography, knowledge assumptions are especially delicate 
assumptions whose plausibility may be hard to gauge. We give a novel framework to 
express knowledge assumptions in a more flexible way which may allow for formulation of 
plausible assumptions and exploration of their impact and application in cryptography. 
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On Knowledge Assumptions and their Applications in Cryptography. Knowledge 
assumptions are inherently non-black-box. Informally speaking, knowledge assumptions can 
be expressed by assuming that there is a specific "Knowledge Commitment Protocol" such that 
we can efficiently extract the value committed by the adversary if he completes the commitment 
protocol successfully — in other words, we assume that any adversary that successfully completes 
the Knowledge Commitment Protocol must have "knowledge" of the value that it committed to. 
For the purpose of this introduction, assume that the Knowledge Commitment Protocol is just a 
two message protocol in which first the Receiver sends a random message to the Committer and 
then the Committer responds with a commitment to a valucH. Knowledge assumptions present 
a number of challenges to the research community from the point of view of the falsifiability 
rubric of Naor [Nao03 : they do not fall in the desirable category of falsifiablc assumptions 
in !Nao03j . 

Furthermore, knowledge assumptions present challenges with regard to auxiliary inputs as is 
also pointed out in the early works of Hada and Tanaka |HT98| . Intuitively the problem arises 
if we consider what happens if an adversary is given as auxiliary input an obfuscated program. 
The adversary simply compiles and executes the obfuscated program to obtain the commitment 
message. Then a knowledge assumption, which is expected to hold for all auxiliary inputs, would 
imply an efficient extraction of the committed value. This would imply an efficient deobfuscation, 
which seems problematic. It was recently suggested by Bitansky et al [BCCT12] that it is more 
reasonable to assume that knowledge assumptions only hold with respect to "benign" auxiliary 
inputs. One of our contributions is to put forward a framework for formulating knowledge 
assumptions with respect to Admissible Adversaries. This allows us to specify a set of auxiliary 
inputs with respect to which the knowledge of exponent assumption would hold. For applications 
in cryptography we want this class to be as large as possible. Despite these drawbacks, the study 
of knowledge assumptions in cryptography has been thriving recently. This is evident by the 
long list of interesting research papers cited above. (See Section |8] for more details). 

Limitations of Knowledge Assumptions in the Setting of Concurrency. Un- 
doubtedly, the reason that knowledge assumptions have attracted attention is because they are 
very useful to achieve important goals in cryptography. Indeed often it may seem that knowl- 
edge assumptions are so powerful that they can be used to achieve any plausible result that we 
want to achieve in cryptography. For example, when it comes to the simulation of protocols, 
intuitively it seems that whenever the adversary commits to some value, the simulator can use 
the knowledge assumption to extract the hidden value committed to. Hence, it seems this can 
become a universal technique for straight line simulation^). This intuition is false, as we describe 
below. 

One way to see that the above intuition is false is by observing a long list of unconditional 
impossibility results for concurrent simulations in plain model |CF01| ILin031 ILin04( IBPS061 
IKLR10[ IGKOV121 |AGJ + 12] and observing that the above intuition seems to give a simulation 
technique applicable to any concurrent setting. Even in restricted models of concurrency, there 
are many natural protocol tasks that are impossible even with knowledge assumptions. One 
of the most relevant examples is concurrently secure oblivious transfer (OT), in the "fixed 
roles" setting and with fixed inputs for honest parties. This setting is almost identical to 
concurrent zero-knowledge, with the only difference being that there one is trying to achieve OT 
as opposed to zero-knowledge, but there are no issues of "man-in-the-middle attacks" or adaptive 
choice of inputs. Nevertheless, a concurrently secure OT protocol in fixed roles setting and 
with fixed inputs for honest parties is impossible even with knowledge assumptions GKOV12, 

Our assumption is concrete. See Section f3. 41 
2 The commitment here does not refer to a semantically secure commitment scheme. 

3 For example, consider the following coin flipping protocol. Adversary commits to R, honest party sends R' , 
adversary opens R. The result of coin flipping protocol would be R © R' . Intuitively, knowledge assumption would 
allow the simulator to force the outcome of coin flipping to any string he wants since it would know R immediately 
after the adversary's commitment through extraction. Thus, one might conclude that with knowledge assumptions 
we can achieve the CRS model. This intuition is false. 
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IAGJ+12] , yet as we show, there is a plausible assumption under which we achieve constant 
round concurrent zero-knowledge. The negative results show that potential specific knowledge 
assumptions, which would be powerful enough to allow for concurrently secure OT, must be 
false. (We stress that the novel knowledge of exponent assumption we formulate here would not 
naturally provide a simulation of a concurrent OT protocol.) 

As suggested above, one of the main non-trivialities of our work is to formulate a plausible 
knowledge assumption that would allow us to achieve constant round concurrent zero-knowledge, 
while remaining plausible. We begin our discussion here with natural attempts to apply knowl- 
edge assumptions to the concurrent setting, and their limitations. We believe that this discussion 
will be useful to other researchers who would like to apply knowledge assumptions to other inter- 
esting problems in cryptography, while also illustrating the non-triviality of achieving concurrent 
security using a plausible knowledge assumption. 

Perhaps the most promising idea would be to formulate an "interactive" knowledge assump- 
tion. Informally speaking, such an assumption would say that extraction is possible after an 
arbitrary interaction which took place prior to the final message in the Knowledge Commitment 
Protocol. However, any natural formulation of such an interactive knowledge assumption would 
be powerful enough to achieve concurrent realization of functionalities such as OT. Hence, we 
know that such an assumption must be false. Indeed such an assumption would be falsified by 
considering a scenario in which the actions of the adversary in the Knowledge Commitment Pro- 
tocol are fully specified by messages that the adversary received in the past, and not directly by 
the adversary itself. (For example, the functionality being computed could provide the messages 
of the Knowledge Commitment Protocol as outputs to the adversary [BPS061 |AGJ + 12] .1 Intu- 
itively, in such a situation, the adversary doesn't have any knowledge of the value he committed 
to, and hence the goal of extraction is untenable. Essentially the problem is that some "external 
knowledge" may find its way to the adversary by means of previous interactions and get used by 
it to generate its messages in Knowledge Commitment Protocol. Similar problems arise when 
trying to use auxiliary inputs to the extractor promised by a knowledge assumption in order to 
facilitate extraction in the concurrent setting. (See Appendix lAl for a brief discussion.) 



Recursive Applications of Knowledge Assumptions and their Limitations. 

Another approach would be to apply a knowledge assumption recursively for each session. What 
we mean by this is as follows: Essentially, a knowledge assumption transforms an adversary 
circuit A into another (potentially polynomially larger) circuit A' that behaves just like A 
but also outputs an extracted value. If we apply a knowledge assumption recursively, then 
we would transform the original adversary circuit A into A', but then apply the knowledge 
assumption again to transform A' into A" . However, clearly if such a recursion is applied a super- 
constant number of times, then the final circuit might be super-polynomial in size. This problem 
was encountered by Bitansky et al IBCCT12] in the construction of succinct non-interactive 
adaptive arguments of knowledge (SNARKs) using extractable collision resistant hash functions 
(ECRH). To prove the property of proof of knowledge, the extractor needs to extract the full 
Probabilistically Checkable Proof (PCP) given only the root of a Merkel tree. The natural 
solution is to apply the knowledge extraction recursively at each level of the tree. But since 
each level of extraction potentially incurs a polynomial blow up, one can apply extraction only a 
constant number of times. One of the major contributions of |BCCT12j was to circumvent this 
problem by using Merkel trees with polynomial fan-in and constant depth. Note that, however, 
we do not have any such option while constructing a constant round concurrent zero-knowledge 
protocol because the number of concurrent sessions can be any unbounded polynomial. 

One natural approach to avoid this blow-up with each recursive extraction would be to 
assume a stronger property on the running time of the extractor. For example, one can assume 
the existence of an extractor which only takes an additive poly(n) (where n is the security 
parameter) factor more than the running time of the adversary. Note that the factor of poly(n) 
is independent of the running time of the adversary. We call this the +poly(n) assumption. 
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However, this assumption seems too strong and in fact potentially implausibl^B On the other 
hand, if we do not make such a strong assumption, the essence of the problem is that if we want 
to apply the knowledge extractor recursively, we cannot afford it to take even m c longer than 
the adversary, where m is the running time of the adversary and e is an arbitrary constant. 
Note that we do not make the +poly(n) assumption. 

Intuition behind our assumption. Our first idea is to separate the process of extraction 
from the behavior of the adversary. More precisely, we will think of the adversary as a circuit 
M. If M completes the Knowledge Commitment Protocol, an application of our assumption to 
M gives us a separate extractor circuit E. The assumption states that the input wires of E can 
be any wire inside the circuit M, including input, intermediate, or output wires. The output 
of E(x) is only the value committed to in the output of M(x). Now that we have separated 
the extractor from the adversary, we make the following observation: It is reasonable to assume 
that when the assumption is applied to create an extractor circuit E, the assumption does not 
attempt to place any "external knowledge" into E or attempt to hide any knowledge in E. In 
other words, the extractor created by the assumption is not maliciously created. Hence, let us 
call it benign and denote it by B. Note that we will only consider benign circuits that are created 
by the assumption. The benign circuits are not assumed to remain benign if they are modified. 
Now we can state our assumption: 

Assumption 1.1 (Informal knowledge assumption). Consider a pair of malicious and benign 
circuits (M, B) such that M completes a Knowledge Commitment Protocol and outputs a 
commitment to a value. Then there exists a polysize benign extractor circuit E which takes as 
input a subset of wires of M, and outputs the value committed to by M. Moreover, the size of 
the extractor E is bounded by a fixed polynomial in the size of M and the security parameter 
n. 

Now consider a recursive application of our assumption. Recall that the recursive application 
is required for the following: Suppose we have an adversary and we execute it to obtain some 
number of messages until it completes a Knowledge Commitment Protocol. Then we apply the 
knowledge assumption to obtain an extractor that allows us to obtain the committed value. We 
then use the extracted value in order to execute the adversary for some additional number of 
messages until it finishes another Knowledge Commitment Protocol (and so on). Let us denote 
by M the execution of the adversary so far. Note that the inputs to M arc essentially the 
original inputs to the adversary together with the outputs of the extractors so far. Denote by 
B the collection of extractors so far. 

Now let us consider what happens when we apply our assumption to (M,B). We obtain 
an extractor E that extracts a value committed in the output of M. We observe that while 
B was involved in the execution of the adversary, only the outputs of B were ever used by M 
to compute its output commitment message. Furthermore, as argued above, B was benignly 
created by the assumption and thus has no external or hidden knowledge inside it. Thus we 
argue, that it is reasonable to assume that the size of the extractor E created by the assumption 
is a fixed polynomial in the size of only the malicious circuit M. Recall that M contains all the 
malicious computations done by the adversary. We now make the following observations about 
our assumption. 

4 Consider the following scenario: Given a random group element g from a special group G, the adversary is 
expected to output g b (a commitment to b) and extractor's task is to output b. However, the Adversary applies a hash 
function on its input and gets a pseudorandom string s = si . . . s m of length m, where m depends on the running time 
of the adversary and is not a fixed polynomial in length. Now, it traverses the string s and recursively applies a special 
function A, such that A(d, g x ) = g^ d ' x \ In other words, the adversary computes A(si, A(s%, . . . , A(s m ,g) •■•))• Now 
suppose A and / satisfy the following conditions: (1) Time(A)<Time(f) (2) Time(/(si, /(s2, • ■ ■ , f{s m , 1) ...))) = m- 
Time(f). Then, by the latter condition, the extractor needs to compute / iteratively. Thus, the extractor will need 
at least 0(m) more operations than the adversary, where m is decided by the adversary. We do not know if such an 
A and / exist. However, if such an A and / did exist, it would refute the +poly(n) assumption. 
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• We observe that without loss of generality, we can assume that in a recursive application 
of our assumption, the extractor created by the assumption in fact contains all of the 
extractors created previously inside of it. Namely the benign circuit B is a part^l of the 
newly created extractor E. Thus E can make use of all of the intermediate wires of 
previously created extractors, without loss of generality. These intermediate values may 
contain useful knowledge which may help the extraction of the value committed in the 
output message of M. 

• We also observe that the counter-example we contemplated in Footnote 2] to the +poly(n) 
assumption is compatible with our assumption^. That is, the existence of the functions A 
and / specified in the counter-example would not refute our assumption. Essentially this 
is because our extractor E is allowed to be polynomially larger than the malicious circuit 
M. 

• We further validate the plausibility of specific knowledge assumption that we make (see 
Section. I3.4[) by providing a proof that the assumption holds in the generic group model 
(Section. EJ. 

• To understand what computational complexity limitations our assumption is placing on the 
Knowledge Commitment Protocol, let us first examine an important complexity limitation 
that the knowledge of exponent assumption of Hada and Tanaka (HTKEA) |HT98j places 
on the Knowledge Commitment Protocol. For simplicity of notation here, let us assume 
that the Knowledge Commitment Protocol is a non-interactive commitment denoted by 
Com(x). Consider a circuit A such that: 



A{x) = Com(Com . . . (Com(/(a:))) . . .) 

where / is not efficiently computable. Then the HTKEA implies that there cannot exist 
such a polysize circuit A for any constant £. This is because by making constant recursive 
invocations of HTKEA we will be able to extract f(x) and generate a polysize circuit that 
computes /. Because our assumption admits further recursive invocations with efficient 
extractions, it would imply that such a polysize circuit A should not exist for larger 
values of I. However, we note that the commitment we use is size increasing, namely 
|Com(x)| > 2\x\. Therefore our assumption would imply that such a circuit A cannot exist 
for any I which is 0(log(n)). We believe that if such a complexity assumption holds for a 
constant £, as the HTKEA implies, then it is quite plausible that it holds for I = 0(log{n)). 

We describe two variants of our protocol: First, we provide a simpler protocol transformation 
that uses bilinear groups. This protocol is quite efficient and requires only 5 rounds. Our second 
protocol works with a knowledge assumption in general groups (without the need of a bilinear 
map), at the cost of a constant number of additional rounds, and is slightly less efficient. 



Organization. The paper is organized as follows: We discuss the technical sections be- 
ginning with background on zero-knowledge, canonical arguments and commitment schemes in 
Section [5] We describe the DHL A assumption and our knowledge assumption for bilinear groups 
in Section [3] We describe our protocol (which uses bilinear groups) in Section 0] and prove its 
soundness in Section [5] Next, we show that our protocol is zero- knowledge in a concurrent 
setting in Section |U For general groups, the knowledge assumption and the protocol for concur- 
rent zero- knowledge is described in Appendix |DJ Then we prove that our knowledge assumption 
holds in the generic group model in Section [7] Finally, we discuss related work in Section |8] 

5 We stress that if all recursively created extractors contain all the previously created extractors inside it, then the 
last invocation of the assumption only needs to embed the previous extractor (since it already contains all previous 
extractors). This would prevent an exponential blow-up in size that a reader might otherwise worry would occur. 

6 On the other hand if the reader believes that the counter-example from Footnote [4] is not plausible, then it is 
easy to see that +poly(n) assumption implies our assumption. 
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2 Definitions and Preliminaries 



In the following sections, we will denote the security parameter by n. We denote a NP-completc 
language by L and if x G L then Wl(%) returns a witness w to that fact. 

Definition 2.1 (Bilinear Groups). A bilinear group is a tuple BQ = (g, G, Gy, e, g), where G 
and Gt are cyclic groups of prime order q, g generates G, and e : G x G — > G^ is an efficient 
non-degenerate bilinear map, i.e. VX, Y G G Va,b G Z g : e{X a 1 Y b ) = e(X,Y) ab , and e(g,g) 
generates Gt- Let Lqq denote the set of {(q,g,e)}, where g generates a bilinear group of 
prime order q, where q is an n-bit prime, and e is an efficient non-degenerate bilinear map. 
For brevity, we will suppress the bilinear map, when it is obvious from the context, and simply 
write (q,g) G Lqq. Also, we will assume that if q is an n— bit prime then any i£Z, can be 
represented by a. unique- n— bit string. For ease of notation, we just use 1 x to denote this unique 
string. 

Definition 2.2 (Interactive Arguments). Let P, V be two PPT interactive machines. We denote 
the probability that V accepts x G L on interacting with P by Acc(P(x, w), V(x)). We say that 
{P, V) is an interactive argument for an NP-complete language L if the following two conditions 
are satisfied: 

• Efficient Completeness: For every x G L, there exists a string w, such that 

Acc(P(x,w),V(x)) = I. 

• Computational Soundness: For every PPT machine P* (cheating prover) , every polynomial 
poly(-), all sufficiently long x ^ L and all strings w, 

Acc(P*(x,w),V(x))< ¥ ^ m . 

Definition 2.3 (Non-Black-Box Zero-Knowledge protocol w.r.t. auxiliary input of length m). 
Let m be a polynomial in n. Let P, V be two PPT interactive machines. We say that (P, V) is a 
non-black-box zero-knowledge protocol for L w.r.t. auxiliary input of length m if for every PPT 
machine V* there exists a PPT machine Sy such that the following two distribution ensembles 
are indistinguishable: 

{Sy {x, y)}xeL, y e{o,i}™ and {(P{x, w),V*(x, y))} x eL,wew L (x), y e{o,i}™ , 

where {(P(x, w), V*{x, y))} X £L ,wew L (x),y e{o,i} m is a random variable taking the value of V*'s 
random coins and the sequence of messages in the interaction between P and V*. 

2.1 Concurrent Zero-Knowledge (cZJC) 

Let {P, V) be an interactive proof system for a language L, and consider a concurrent adversary 
V* that given an input x G L interacts with an unbounded number of copies of the prover P 
concurrently. Moreover, there is no restriction on the scheduling of the messages between P and 
V* (in particular, V* controls the scheduling of these messages). 

The transcript of the concurrent session consists of the common input x, followed by a 
sequence of messages exchanged between the prover and the verifier. The view of V* when it 
interacts with P consists of the random tape of V* together with the transcript of the protocol. 

To prove that any protocol is zero- knowledge in the concurrent setting, we show the existence 
of a simulator for every concurrent verifier V* that interacts with m copies of P, where m is 
bounded by a polynomial in n. 

Definition 2.4 (Non-Black-Box cZJC with auxiliary input of length m). Let (P, V) be an 
interactive argument system for a language L. We say that (P, V) is non-black-box concurrent 
zero-knowledge if for every concurrent adversary V* (with auxiliary input y of length m) that 
runs at most m concurrent sessions with P, where m is n c for any constant c, then there exists 
a probabilistic polynomial time algorithm Sy that runs in time polynomial in the running time 
of V* and n and satisfies that the following ensembles are computationally indistinguishable: 
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{S m ,V* (x, y)}xeL.ye{0.1}^\m<n" and {(P(x, w), V*(x, y))}xeL,weW L (x),ye{0,l}^,m<n" 

In the final constant round protocol for concurrent zero knowledge (II) (see Section [4J using 
knowledge assumption in bilinear groups, we will use a discrete log based equivocal commitment 
scheme and three round canonical arguments as subroutines. Hence, we define and describe these 
next. Then we will describe the assumptions used to prove the soundness and the zero-knowledge 
properties of our protocol in bilinear groups. In the subsequent section, we will describe our 
protocol for concurrent zero-knowledge (II) in detail. We describe the constant round concur- 
rent zero-knowledge protocol for non-bilinear groups in Appendix [D] In this protocol, we also 
use a constant round statistically sound zero-knowledge protocol in stand alone setting (see 
Appendix ID.lj) . 

2.2 Canonical Arguments 

A three round canonical argument (P, V) for an NP-complctc language L, proposed by [HT98] . 
is described in Figure Q] Cmt and Rsp are the first and second messages of the prover and Ch 
is the message sent by the verifier. 

Definition 2.5. An argument system (P, V) for an NP-complcte language L is called a canonical 
argument system if it satisfies the following properties: 

BO The prover is a probabilistic polynomial time function which is given the NP-witness w. 
When this function is invoked with an incoming message Mi n and its state, it outputs 
M out and its updated state. The initial state of the prover is set to (x,w 7 R), where x is 
the common input, w is its auxiliary input and R is the random tape. When it is invoked 
with (e, (x, w, R)) it outputs the prover's first message which is a commitment Cmt. 

Bl The verifier selects the challenge Ch uniformly at random from {0, 1}™. 

B2 Strong-Soundness: For any x £ L and Cmt, there exists at most one challenge Ch £ {0, 1}™ 
for which there exists a Rsp £ {0, 1}* such that Ver^Cmt, Ch, Rsp) = 1. 

B3 Honest Verifier Zero Knowledge (HVZK): There exists a probabilistic polynomial time Sim- 
ulator Shv such that following two ensembles are computationally indistinguishable: 

{S H v{x)}xeL and {(P(x, w), V(x))} x( z L:W£Wl(x) , 

where {(P(x, w), V (%)}}xEL,weWL(x) 1S a random variable taking the value of V's internal 
coin tosses and the sequence of messages it receives in interaction between P (with auxiliary 
input w) and V. 

One of the ways to construct such a protocol, as described by Hada and Tanaka [HT98j . is 
parallel composition of Blum's ZK protocol for Hamiltonicity. 



Prover P 
Initial State Sto = (x, w, R) 
{GMT,Sti)^P(e,St ) 



(Rsp, St 2 ) <- P(Cn,Sh) 



Figure 1: Three Round Canonical Argument System (P, V) 



Verifier V 



-p; Cmt 

Pi: ► 

Ch 4- {0, 1}" 

Ch yj 
< :Vi 



P 2: ^ > 



If Ver^Cmt, Ch, Rsp) = 1 
then accept x £ L else reject 
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2.3 Discrete Log based Equivocal Commitment Scheme Comoi 

The committer and the receiver are given a group G of prime order q, its generator g and an 

$ 

element B £ G such that g is an n— bit prime. To commit to x £ Z g , choose r <s— Z g and send 
Z = g x ■ B r . To open, the sender sends (x, r). 

This commitment scheme is perfectly hiding i.e. CorriDi(x) and Coiti£>l(V) are identically 
distributed. If the committer does not know the discrete log of B, then Com ql is computation- 
ally binding under discrete log assumption. We assume that discrete log assumption holds in 
all the groups we consider. Also, if Z is a commitment under Com^^, then given two distinct 
openings of Z to (x,r) and (x',r') such that x ^ x' . one can easily solve for the discrete log 
of B, say 6, as follows: b = (x — x') ■ (r' — r) -1 . Also, if the simulator knows the discrete log 
of B, say b, it can open Z = Corner (x;r) as being a commitment to any x' £ T, q by sending 
r' = OperiDL{x, x' , r, b) = (x + r ■ b — x') ■ b^ 1 . 

3 Assumptions 

We begin this section by describing an assumption which is very similar to the discrete logarithm 
assumption (DLA). Given a (q,g) £ Lqg: DLA says that given a random group element A = g a , 
for any polysize circuit, it is hard to compute a with non negligible probability. Diffie-Hellman 
Log Assumption says that given a Difhc-Hcllman tuple (g a , g b , g ab ), it is difficult to compute b 
even when a is chosen maliciously by the adversary. Let us denote Diffie-Hellman tuples by VH. 

Assumption 3.1 (Diffie-Hellman Log Assumption [DHL A)). For every family of probabilistic 
polynomial size circuits I = {/„}„>i, every pol y(-), all sufficiently large n's and all (q, g) £ Lq G 
such that q is of length n, consider the following probabilistic experiment: 

• /„ on input ( "Step 1", 1") outputs (g, A), where A £G. 

• Given (g,A) as input, experiment chooses b £ Z* and computes (B = g b ,X = A b ), 

then DHL A says that if (g, A, B, X) is a Diffie-Hellman tuple then the probability that I n , given 
this tuple, outputs discrete log of B is negligible even when A is chosen maliciously by /„ . More 
formally, 

Pr[I n ( "Step 2" , ff , A, B,X\(A, B, X) £ VH) = b : B = g»] < 
for any choice of Ahj I n . 

Knowledge Assumption: Below, by a circuit C we mean a collection of Boolean gates and 
wires. We use the non-standard convention that certain gates are specially marked as output 
gates. 

Definition 3.2 (Admissible family of Adversaries). An admissible family of adversaries A is 
a family of sets such that the following properties hold: Each set S £ A is such that S = 
{C n , M n , B n , aux„}„ 6 N. For each such set S, there exist constants c, c' > 0, such that C n is a 

circuit with \C n \ < n c , and aux C {0, l} n " . Furthermore, {M n , B n } is a partition of the gates 
and the wires of the circuit C„. If a; is the input to C n then by M n (x) we refer to the result of 
the computation C n (x) restricted to the output wires in M n ; we define B n (x) similarly. 

We will refer to M n and B n as the malicious and the benign parts respectively of the 
adversary circuit C n . 

Definition 3.3 (A admits polysize malicious extensions). An admissible family of adversaries A 
admits polysize malicious extensions if the following holds: For any set of circuits S £ A where 
S = {C„, M n , B n , auXnjngN; and any polysize circuit family {F^jneN such that 3d > 0, \F n \ < 
n d and the input wires to F n are a subset of the wires in M n (including both internal and output 
wires) and the output wires of B n , we have that S' — {C n U F n , M n U F n , B n , aux n } £ A. 

Next, based on the definition above, we define a variant of knowledge of exponent assumption 
based on the one described by Hada and Tanaka [HT98] . 
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Assumption 3.4. [m-Knowledge of Exponent Assumption (m-KEA) w.r.t. admissible adver- 
saries] We say that the m-Knowledge of Exponent Assumption holds with respect to a family 
of admissible adversaries A, if for every c > 0, there exists a constant d > such that the 
following holds: For m = n c , fix any S = {C„, M n , B n , aux n } n ^j>s 6 A. Then there exists a 
family of extraction circuits {£Vi}neN whose inputs are a subset of any wires in M n , such that 
\E n \ < (n ■ \M n \) c . (Informally, this condition requires that the extraction only uses the inter- 
nal wires of the malicious part of the adversary.) Furthermore, we require that the following 
conditions hold: 

1. For all sufficiently large n, every polynomial poly(-), the following is true for all aux G aux„: 
Consider the following probabilistic experiment: For i 6 [l,ro], primes qi and generators 
Qi are chosen randomly such that (qi,gi) £ Lqq, where qi is chosen to be of length 
n. Values ai,...,a m are chosen at random such that ai G Z*. . Finally, R is chosen 
uniformly at random from sufficiently long strings so that the length of the tuple x = 
((qi, gi, gi 1 ), . . . , (q m , g m , g!^),aux, R) is exactly the length of the input to circuit C n . 
If the input to C„ is not long enough to allow such an input then the assumption is 
vacuously true for this S. Now, we consider the output of M n (x), which we interpret as a 
tuple (j, B, X), where j £ [m], and both B and X are in the group generated by gj. Then, 
we interpret the output of E n (x) as the value bj € Z„. , and require the following to be 
true: 



Pr 



X = B a ' AB^ g\ 3 



1 

< 



polyiji) 

(Informally, this condition states that if the malicious part of the adversary outputs a 
tuple so that (gj,gj J , B, X) form a Difhc-Hcllman tuple, then the extractor E n successfully 
outputs the discrete log of B with respect to gj.) 

2. We have that (C n UE n , M„, B n UE n , aux„) € A. (Informally, this means that the extraction 
circuit created by this assumption is benign.) 

Definition 3.5. An admissible set of adversaries A contains all polysize malicious adversaries 
if for all c, c' > 0, and for all circuit families {C n } n ^ such that \C n \ < n c , for each n there 

exists some subset aux„ C {0,1}" , such that (C n , C n , e, aux„) 6 A. We say that A contains 
all polysize malicious adversaries with all polysize auxiliary inputs if aux„ = {0,1}" for each 
circuit family above. 

Theorem 3.6 (Informal). If the m-Knowledge of Exponent assumption holds with respect to 
an admissible adversary family A such that A contains all polysize malicious circuits and allow 
polysize malicious extension, and DHL A holds, then there exist constant-round concurrent zero- 
knowledge arguments for NP in the plain model. 

Furthermore, if A contains all polysize malicious adversaries with all polysize auxiliary in- 
puts, then there exist constant-round concurrent zero-knowledge arguments for NP in the plain 
model with respect to arbitrary auxiliary inputs. 



4 Constant Round Protocol for Concurrent Zero-Knowledge 

The protocol starts by asking the verifier to use Knowledge Commitment Protocol to commit 
to a value b in B = g . We use equivocal commitments whose trapdoor is b to run a coin 
flipping protocol between the prover and the verifier. In parallel with the coin flipping protocol, 
we run a parallel repetition of Blum's Hamiltonicity protocol, where the result of coin flipping 
protocol determines the challenge message. We describe the 5-Round protocol for concurrent 
zero-knowledge argument in Figure [2j Note that the protocol execution does not make use of 
the bilinear map. It is only used by our zero-knowledge simulator to check that (A, B, X) forms 
a Diffie-Hellman tuple since it does not have access to the discrete log of A. We stress that this 
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Here, Pi and Vi denote the i th provcr and the i th verifier message respectively. 
(P, V) represents the three round canonical argument. 



Prover P 
Initial State St = (x, w, R) 

{q,g)^L QG ;a£z* q ; A <- g a 



Let Comui (defined in Section 
If X ^ B a then abort 
else (CMT,Sti) <-P(e,St ) 
a Z 9 ; Z = Comci, (a; f) 



Ch i- a © /3 

(Rsp,5t 2 ) <- P(Cn,Sh) 



Verifier V 



Pi 



(9, g, A) 



11 (Q} 9) t Lqg then abort 
else b^Z* q ; B ^ g b ; X 



(B, x) 



■Vi 



be the commitment scheme using (g,B). 



Pi 



Cmt, Z 



{0,1}" 



:F 2 



ft:- 



(a, r, Rsp) 



If Z ^ Corri£)i / (Q!; f) then abort 
Ch a © /3 

If Ver x (Cmt,Ch,Rsp) = 1 
then accept else reject. 



Figure 2: II: 5-Round Protocol for cZK, (P, V) 



use of a bilinear map is not crucial, and that we eliminate the need for a bilinear map in our 
second protocol (See Section [DJ. 

This protocol uses the discrete log based commitment scheme Com r> l which is binding under 
the hardness of DHL A. The secret value b committed to by the verifier satisfies the following 
properties. 

Rl: For Soundness: Under DHL A (Assumption 13. ip . any cheating prover while interacting 
with the honest verifier cannot get the secret coins of the verifier. Hence, any cheating 
prover cannot output the discrete log of B sent by the verifier in Figure [21 

R2: For Zero-knowledge: Under m-KEA (Assumption 13. 4( ). our simulator will be able to 
output the discrete log of B no matter how the verifier behaves. Once the simulator 
gets the secret coins of V* , which is the trapdoor to equivocal commitment scheme, the 
simulation is easy. 

For R2, informally, it seems that even the cheating verifier must start by simply choosing b and 
computing (g b , A b ) in order to pass the check X = B a . That is, we assume that the verifier 
knows the secret coins b whenever it passes the check. m-KEA defined in Section 13.41 captures 
this idea of knowledge and knowledge extraction formally. Under this variant of knowledge 
of exponent assumption, we will design a simulator which will extract the secret coins of the 
cheating verifier. Since, the simulator will have the trapdoor to Corner, it will be able to 
equivocate on its commitment to a and force the outcome of the coin flipping protocol to the 
challenge string output by the honest verifier simulator Sjjv- 
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5 II is Computationally Sound 



Recall that DHLA says that given a Diffic-Hcllman tuple (g,g a ,g b ,g ab ), even if a is chosen by 
the adversary, it is hard for it to guess b with non-negligible probability. We prove soundness 
of II by the following two steps: Let P* denote the cheating prover. 

• If P* succeeds in equivocating its commitment in coin flipping protocol then we can extract 
the trapdoor value b of Knowledge Commitment Protocol from P* . This shows that P* 
can be used to efficiently compute b and thereby break DHLA. 

• We show that if P* does not equivocate on its commitment in coin flipping protocol and 
convinces the verifier of a false statement, then such a P* can be used to violate the 
underlying strong soundness of canonical arguments. In other words, it would violate the 
underlying soundness of Blum's Hamiltonicity protocol. 

To prove the soundness of II in the concurrent setting, it is sufficient to prove soundness of a 
single stand alone session. 

For the first step, let us define the following interactive game Q: 

1. Sim runs the above protocol with P* till P* commits to a using random coins r in 
the above protocol using commitment scheme Corri£)£ as defined before. P* sets Z = 
ComuL(a; r) and sends Z to Sim. 

2. Sim sends /3 to P* . 

3. P* sends (a\, f\, Rsp) to Sim such that Z = Comci(ai; fi). 

4. Sim rewinds P* to Step 2 and sends it /3' such that j3' ^ (3. P* wins if it sends 
(«2, ?2, Rsp) to Sim such that Z = Corri£>£(a2; ^2) and ai =/= a-2. 

Lemma 5.1. Under DHLA, for every probabilistic polynomial time machine P* , every polyno- 
mial poly(-), and all sufficiently large n's, 

Pr[P* wins Q] < ^ 

where probability is over choice of a, /3 and coins of P* and n is the security parameter. 

Proof: We will prove this by contradiction. If there is a polynomial f(n) such that Pr[P* wins Q\ > 
1 / f(n) , then we can construct an adversary A for DHLA. A runs P* and gets (q, g, A) and sends 
(g, A) to the challenger Ch of DHLA. Ch prepares the challenge tuple by choosing a random b 
and sends (B = g b ,X = A b ) to A which it forwards to P* . P* and A continue running the 
protocol II until the opening of Z as a. After this opening, A rewinds P* until the commitment 
Z and runs P* again with a different (3' and looks at the opening of Z by P* . If P* opens Z 
to the same a, A aborts. Else if P* opens Z to a a' such that a ^ a' , A can compute b, the 
discrete log of B, as described in Section [2~3l A sends b to Ch. 
Pr[A breaks DHLA] = Pr[P* wins Q\ > l/f(n). This contradicts DHLA. 

Theorem 5.2. Under Lemma \5.1\ and strong soundness property (B2) of (P, V), protocol II is 
computationally sound. 

Proof: We will again prove this by contradiction. If LI is not computationally sound then there 
exists a PPT machine P* and an infinite set X = {(x, w) : x ^ L} such that there exists a 
polynomial p(-) satisfying 

Acc(P*(x,w),V(x)) > 

Since P* can equivocate his commitment to a only with a negligible probability, the only way 
P* can convince V of a false statement is to complete the protocol successfully for multiple 
challenges for each (x, w) G X. 

Using this cheating prover P* for LI, we will construct a cheating prover P for canonical 
argument system which breaks the strong soundness property of the canonical argument system. 
P interacts with P* as the verifier on some (x, w) G X. P runs the protocol till the end. If 
P* succeeds in convincing P , then P rewinds P* up to the point when P* has sent his 
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commitment to a. This time P sends a different /?. If P* completes the protocol successfully 
for the second time, then P* gets two different tuples (Cmt, CHi, RsPi) and (Cmt, Ch 2 , Rsp 2 ) 
for x ^ L which a honest verifier V would accept. This is because P* can not equivocate to a 
with non- negligible probability. This would contradict the strong soundness property of (P, V). 
Now we need to calculate the probability of success of P in breaking B2. 
Let T be the transcript of II till the prover's commitment to a. Let pj- = Pr[V accepts x ^ E\T\ ■ 
We are given that, 

1 



Acc(P*{x,w),V{x)} 



<E T ( PT ) < [Prr 



RH7 

Now we know that Prj- 



■ 1 



<t(pt) > 

Pr T 



PT < 



PT > 2 • ^ 

< 1. By solving we get 



PT < 



1 i 

2 ' ^(R) 



Pr r [p r > i 



1 rf> 



RR7 J ^ MR!' 

P* breaks B2 on a good transcript when P* 
succeeds in convincing the verifier on two independent choices of fj. Hence, 



We call a transcript T good when pr > \ • p ( \ x \ ) ■ 



Pr[P* breaks B2] > Pr[T is good] ■ (i 



^ 2 > I 



' 2 ' p(|a;|) ) 

This contradicts the strong soundness property of canonical argument system by a non- negligible 
probability. 



6 II is Concurrently Zero-Knowledge 

To establish the zero-knowledge property, we build a sequence of extractors through recursive 
applications of m-KEA. Informally, each circuit uses the extractor provided by m-KEA to obtain 
the value b committed by V* and then use this trapdoor value to equivocate in the coin flipping 
protocol. Through such an equivocation, the simulator can force the challenge message in 
Blum's Hamiltonicity protocol to be equal to the challenge the simulator received by calling 
the honest verifier simulator Shv for Blum's Hamiltonicity. We prove that the simulation is 
computationally indistinguishable from the real execution through a sequence of hybrids. 

Theorem 6.1. // there are m concurrent sessions of II and if our family of admissible adver- 
saries A contains all polynomial size adversaries and allows polysize malicious extensions, then 
under m-KEAand honest verifier zero-knowledge property of {P,V), the following distribution 
ensembles are computationally indistinguishable: 

{Sy(x, y)} m ,x&L,y£{o,i}™ and {(P(x,w), V* (x, y)) } m ,xeL,weW L Or) , v e {0, 1}'" , 

where Sy is the zero-knowledge simulator for II described in Appendix O 

For the proof of this theorem refer to Appendix |5] The following theorem states that the 
circuit of our simulator Sy is a polynomial size circuit. 

Theorem 6.2. The size of the circuit of the simulator Sy is a fixed polynomial in the size of 
the circuit of V* and the security parameter. 

For the proof of this theorem refer to Appendix [Cj 



7 m-KEA holds in Bilinear Generic Group Model 

In this section, we will argue that m-KEA (Assumption I3.4p holds for any family of admissible 
adversaries (described below) that acts generically to the groups used in our protocol. 

The Generic Group model: Given a cyclic bilinear group G, we consider the random 
encoding ipa, that is an injective map tpo ■ G — > {0, where I > 3 • log(|G|). We write the 
encoded group as {iI)q{x) : x S G}. Let e be the bilinear map, e:GxG-> Gt, where Gt is 
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also a cyclic group. Let the random encoding of Gt be ipG T - The adversary is given access to 
three oracles $ B , $ p , and <£ T . The oracle $ B takes as input the random encodings of group 
elements in base group G and performs the group operations multiplication and inverse in G. 
If a,/3 £ -0g(G), then $ B (a,/3) gives the encoding of the product of elements represented by a 
and j3 which is ■0G(V'G 1 ( a ) ' V'g 1 ^))- Also <& B (a, Inv) gives the encoding of the inverse of the 
group element represented by a which is 4>G(('4'G 1 (c t ))~ 1 ), where a £ Vg(G). $ p also takes 
random encodings of group elements in G and returns the pairing under the bilinear map e. 
Given a,/3 £ ■0g(G), $> p (a,(3) gives the encoding of the pairing of elements represented by a 
and j3 which is ^G T (e(ipQ 1 (a),^Q 1 (f3))). Similarly, $ T takes as input the random encodings 
of group elements in Gt and performs the group operations multiplication and inverse in Gt- 
If a, (3 £ i/)g t (Gt), then $ T (a,/3) gives the encoding of the product of elements represented 
by a and j3 which is ipG T (^Gt ( a ) ' ^GriP))- Also $ T (a, Inv) gives the encoding of the inverse 
of the group element represented by a which is -0g t ((V'gt where a £ "0g t (Gt). Let 

$ = <J> B u $ p u $ T . Without loss of generality, assume Vg(1g) = £ . 

Theorem 7.1. m-KEA holds in the bilinear generic group model w.r.t. a family of admissible 
adversaries A which contains all polysize malicious circuits with all polysize auxiliary inputs. 

Proof: Consider the following family of admissible adversaries A = {(C„, M*, B n , aux„)}„ e N, 
where M„ is any family of polysize malicious circuits which have access to the oracle i.e. 
$ B , <3? p and $ T . B n is any family of polysize circuits which do not make any calls to any of the 
oracles. C n = Af* U B n and aux„ is the set of all polysize strings. Observe that A admits any 
polysize malicious extension. Looking ahead, the family of extractor circuits E n will not make 
any calls to 

Since in the experiment described in m-KEA, the circuit C n deals with m different bilinear 
groups, the oracles <I> B , <f> p and (f> T also take the group number i as input. More formally, 
if a,j3 £ ^ G4 (G0, then ^ B (i,a,/3) = ^ Gi {^]{a) ■ ^ G )(P)), $ B (i,a,lnv) = ^g, (Wg- 
and <I> p (z, a, /3) = ipG T ^iC^G - ( a )> ^(^O-O)) - Similar calls can be made to $> T to compute the 
multiplication and inverse operations in the groups Gt ; ■ 

To prove the second property of m-KEA, we would maintain the invariant that our extractor 
circuit family E n will not make any oracle calls. Now, in order to prove the theorem, we are left 
to prove that the first property of m-KEA holds. 

For all sufficiently large n, given a set of circuits S = {C n , M*, B n , aux„} £ A (defined 
above) and for all aux € aux„, we run the following experiment. For all i £ \m], we pick at 
random (qi,gi) £ Lqg and pick a random encoding tpG, for the group Gj and tpG T . f° r the group 
<&Ti ■ Let $ be the oracle for the bilinear generic group model. Now, choose values a±, 02, . . . , a m 
uniformly at random such that at £ Z*. . The circuit M* is given the input (qi, ipG t (9i), ipd 
for all i £ [m]. Let the output of M* be (j,B,X). Now we construct the extractor circuit E n 
as follows: 

E n builds a lookup table Ti for all i £ [to]. Table T, maps all group elements (a = 

ipGi(g^ +a ' ' *)) ever considered by M* to a tuple ((d i; d-)). Informally, it maps the encod- 
ing of any group element to its discrete log w.r.t. gi and gf' . Specifically, E n works as follows: 
It initializes T with following two entries: ^Giigi) maps to (1, 0) and ^/'G ^ (s'i i, ) maps to (0, 1). 

Now, consider a topological ordering r of the gates in circuit M*. Traversing in this order, 
we process the oracle calls to $ B as follows: For oracle call $ B (z, a, (3) with outcome 7 =^ _L, we 
update our Ti as follows: Find the entries in Ti corresponding to a and (3, say Ti(a) and Ti(/3). 
If any one of these is not found, we call this event Miss and E n outputs MissFail. Then find 7 
in Ti. If T,(7) exists, but ^(7) ^ Tj(a) + Tj(/3) (addition is done component wise and modulo 
qi), we call this event Collision and E n outputs CollisionFail. Else, set ^(7) = Ti(a) +Tj(/3). For 
the oracle call $> B (i,a, Inv) with outcome 7 ^ 1, we update our Ti as follows: Find the entry 
corresponding to a. If it does not exist, we call this event Miss and E n outputs MissFail. If Tj(7) 
already exists but ^(7) ^ — Tj(a), then this event is Collision and E n outputs CollisionFail. Else, 
set Ti(j) = —Ti(a). For the oracle calls to $ p and $ T , E n does nothing. 

After processing all the gates in A/* which make an oracle call, E n looks at the output wires of 
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M* and interprets it as a tuple of the form (j, B, X) for some j 6 [m] . If Tj (B) or Tj (X) does not 
exist, we call this event OutMiss and output OutFail. Else if, Tj(B) = (6,0) and Tj(X) = (0,6), 
E n outputs b else £7„ outputs Fail. Consider the event when (ipQ 1 (B)) aj = ^^(X) but Tj(B) 
and Tj(X) are not of the form described above. We call this event FalseNegative because though 
M* outputs a valid tuple, but E n fails to output the discrete log. 

Observe that as stated earlier, E n does not make any oracle calls. Instead, it only examines 
the inputs and outputs of oracle calls made by M*. Since M* can make at most |M*| oracle 
calls, the total size of all the lookup tables is at most |M*|. Hence, 3c > such that \E\ < 
(n- M* |) c . There are four cases in which E n misbehaves and below we prove that the probability 
of each of these events is negligible. 

1. Event Miss: This event happens when M* makes an oracle call with input which is neither 
an input to M* nor an output of some previous oracle call. This happens when M* is 
able to guess an I — bit string which is a valid encoding of some group element. Hence, 

PrfMiss] < max; ^ M "J' g ' < max.; ^ A/ j* I , which is negligible since M* is polysizc. 

2. Event Collision: This happens when there is a conflict between old ^(7) (say,(a:i, j/i)) 
and new output from $ s for Ti(j) (say, (22,2/2))- This would give us an equation of the 
form x\ + yi ■ at = X2 + 2/2 ■ o,i, where the only unknown is a,. Solving this equation, E n 
can learn the value of aj. But a* was information theoretically hidden. So, Pr[Collision] 
for any oracle call is at most Taking union bound over all the oracle calls in M*, 

Pr[Collision] < max; 1 " 1 . Since, is polysize, this probability is negligible. 

3. Event FalseNegative: This event happens when (i/j^ 1 (B)) a * = iI)q X (X) but Tj(B) and 
Tj(X) are not of the form (6, 0) and (0, b) respectively. Let Tj(B) = (xi,yi) and Tj(X) = 
(%2, 2/2)- Note that since (ipQ 1 (B)) aj = ^^(X) it is the case that aj ■ [x\ + y\ ■ cij) = 
%2 + J/2 ' a j- This gives a quadratic equation in aj which has at most two roots. Hence, 
Pr[FalseNegative] < max^ 

4. Event OutMiss: We are only concerned in the event when E n outputs OutFail but (B,X) 
is a valid tuple of group elements. This happens when M* successfully guesses at least 
one £ — bit string which is a valid encoding of some group element. As argued above for the 

event Miss, this probability is bounded above by max^ A Jf ■ . This bound must also hold 

for the event OutMiss. Hence Pr[OutMiss A Valid] < max,; ^ , which is negligible. 

We have shown the construction of E n such that if M* outputs a tuple (j, B, X) such that 
(ipQ 1 . (B)) aj = ipQ 1 ^), then E n outputs b such that i)Jq X {B) = g b } with all but negligible 
probability. Since E n does not make any oracle calls, {C n U E n ,M^,B n U E n ,aux n } e A. 
Hence, m-KEA assumption holds for A defined above. 

Remark: Note that because the adversary has to output the tuple (B,X) in the base group 
G, the calls to the oracles $ p and $ T are simply irrelevant to the proof. Hence, they neither 
arise in construction of the extractor E„ nor cause any complication to its existence. Moreover, 
almost the same extractor construction can be used to show that knowledge assumption for 
non-bilinear groups (see Appendix [D]) would hold in generic groups. 

8 Related Work 

Knowledge Assumptions Knowledge or extractability assumptions capture our belief that 
certain computational tasks can be done efficiently only by going through certain specific in- 
termediate stages and generating some specific kinds of intermediate values. One such class of as- 
sumptions is Knowledge of Exponent Assumptions which were first introduced by Damgard |Dam91] 
to construct a CCA secure encryption scheme. Though these assumptions do not fall in the class 
of falsifiable class of assumptions |Nao03j , these have been proven secure against generic algo- 
rithms |Nec94 , Sho97l IDen06j , thus offering some evidence of validity. Hada and Tanaka |HT98j 
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gave a three round zero-knowledge protocol using two knowledge of exponent assumptions. 
Later, Bellare and Pallacio |BP04| proved that the assumption used for proving the soundness 
of the protocol was false, proposed a modified assumption and recovered the earlier result. We 
stress that in our protocol, we are able to argue soundness directly without the use of any 
knowledge assumption. 

Extending the assumption of [BP04] , Abe and Fehr |AF07j constructed the first perfect NIZK 
for NP with full adaptive soundness. Under knowledge of exponents assumption, Prabharakaran 
and Xue |PX09j constructed statistically hiding sets based on trapdoor DDH groups |DG06j . 
Gennaro et al. [GKRIOj modify the Okamoto-Tanaka key agreement protocol to get perfect 
forward secrecy. Recently, Groth [GrolOj generalized the assumption of [AF071 to short non- 
interactive perfect zero-knowledge arguments for circuit satisfiability. 

Other set of knowledge assumptions used recently are extractable functions |CD081 ICD09] . 
All of |BCCT12l IDFH121 IGLRllj give one of the constructions of Extractable Collision Re- 
sistant Hash functions (ECRH) using Knowledge of Exponent Assumptions. Then assuming 
the existence of ECRH, Bitansky et al |BCCT12] modify the construction of |CL08] and prove 
that the modified construction is a succinct non-interactive adaptive arguments of knowledge 
(SNARK). They also show that existence of SNARKs imply the existence of (their notion of) 
ECRH. In the CRS model, they combined NIZK and SNARKs to give zero-knowledge non- 
interactive arguments. On the other hand, Damgard et al |DFH12j also use ECRH to construct 
succinct non-interactive arguments in CRS model. Using these, they give a two message protocol 
for two party computation which is UC-secure. 

Concurrent Zero-Knowledge: The difficulty in constructing a round-efficient cZIC was 
first observed by Dwork et al. |DNS98j . Following this, rigorous lower bounds on round complex- 
ity of cZK for NP with a black-box simulator have been proven in |KPR98[ IRosOOl ICKPTtOT] ; 
the best lower bound being f2(logn/ log log n) rounds given by Canetti et al. jCKPROi] . 
Barak jBarOlj gave a constant round protocol for all NP, in which he gave a non-black-box 
simulator for zero-knowledge. Also, for any predetermined polynomial £>(•), this constant round 
protocol is zero-knowledge even when p(n) sessions are concurrently executed. But it has a 
major drawback. The polynomial p(-) has to be fixed at the beginning of the protocol and the 
message lengths grow linearly in p(n). Killian and Pctrank [KP01 gave a poly-logarithmic round 
protocol which is zero-knowledge even when it is executed concurrently for any (not determined) 
polynomial number of times. The gap between the upper and lower bounds of round complexity 
of black-box cZK, was closed by Prabhakaran, Rossen, and Sahai |PRS02| who gave a 0(log n) 
round protocol. Since then improving the round complexity of concurrent zero-knowledge has 
been an open problem. 

A Discussion regarding use of auxiliary inputs for concur- 
rent simulation 

A potentially promising idea for using knowledge assumptions for concurrent simulation is the 
following: Formulate a knowledge assumption that holds for all auxiliary inputs for the ad- 
versary, and then invoke the knowledge extractor provided by the knowledge assumption with 
different auxiliary inputs corresponding to the extraction history. In other words, one could 
attempt to apply a single extractor iteratively for different concurrent sessions, passing along 
all the information extracted so far as auxiliary input to the extractor. 

However, similar to the example discussed in the Introduction concerning a potential "in- 
teractive" knowledge assumption, a problem may arise if the auxiliary input contains "external 
knowledge" and thereby prevents extraction. We stress there is an important distinction be- 
tween why this fails and failure of the interactive knowledge assumption. Here we are not 
saying that a knowledge assumption which holds with regard to all auxiliary inputs must be 
false. Rather we are saying that any natural application of such an assumption to the concurrent 
setting would fail. This is because it would cause us to invoke the extractor with auxiliary inputs 
that impermissibly correlate with messages received by the adversary in earlier executions of 
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Knowledge Commitment Protocol. By the definition of auxiliary input, an extractor would not 
be required to function in such a case. To make the intuition precise, consider an example of 
such an iterative application of knowledge assumption in the concurrent setting. Suppose the 
Adversary schedules the messages of the malicious committer (MC) as follows: First, MC asks 
for the random first message of the Receiver (R) in the Knowledge Commitment Protocol for all 
the sessions (r±, . . . , r m ). Now, MC chooses a function / and completes the first Knowledge 
Commitment Protocol by committing to f(r\,T2, ■ ■ ■ , r m ). We apply the knowledge assumption 
to recover f(r±, r 2 , . . . , r m ). Next, the MC completes another Knowledge Commitment Proto- 
col. Now in order to extract, we need to provide the extractor one of the random r^'s as input 
and /(ri, r 2 , . . . , r m ) as auxiliary input. But here, depending on the function /, this auxiliary 
input may be highly correlated to the input n . In this case, the extractor is allowed to fail with 
high probability. This is because the extractor is only required to work for the fixed auxiliary 
input aux = f(r\, r2, . . . , r m ), when rj is chosen at random independently of aux. However, the 
actual simulation would use aux that correlates with the input j-j. 

B Description of the simulator 

In the concurrent setting, the verifier may start an unbounded number of sessions with the 
prover and may interleave them in any way he wants. One such individual session has five 
rounds (as shown in Figure [5]). In this section, we will model our cheating verifier V* as a next 
message function with a state 7. 

V*(Msg', k, 7') -> (Msg, j, 7, t) 

where Msg' is the prover's (or simulator's) message from the session k and 7' is the last state of 
V*. In response, V* sends message Msg corresponding to some session j and changes its state 
to 7. Prover's (or simulator's) next message would be the next message from the session j. In 
case Msg is e, then the verifier is requesting for the first message of session t. Verifier can also 
output a special message (End, output), which means that V* wants to stop the execution with 
output output. 

To describe our simulator Sy , we will first describe a sequence of admissible adversaries 
{C n>i ,M nt i, B^i, auxn} and {C' nl ,M' ni ,B' ni ,a\}x n } for all i G {1,2, ...,m+ 1}. First, we will 
describe these for i = 1 followed by i > 1 recursively using {C n) j_i, M nj j_i, B n ^_\, aiiXn,} and 
{C' n M' n B' n aux„}. Each of these circuits will maintain and update the set of aborted 
sessions called Aborted. We will assume that the simulator knows the upper bound on to, the 
number of sessions that V* executes. Also, whenever V* stops, our simulator stops with the 
output of V*. 

Admissible adversary: {G nt \, M n i, B n i, aux n }. 

Input: (x,y, (qi , g\ , g" 1 ) , . . . , (q m ,9m,9%r)) and (Ri,R 2 ), where x £ L, y is the auxiliary input 
of length to and (qi,gi) £ Lqq, for all i. R\ is the random tape for C ny \ and R2 is the random 
tape for V* . 

Output: (j,Bj,Xj) or (End, output). 

Description: We will start building the circuit F n> i as follows: F n> i will simulate the inter- 
action with V* until the point when V* sends first V\ message for some session j. Informally, 
this is the point when V* completes the "Knowledge Commitment Protocol" for the first time. 
So F n< i will keep sending the first message of the sessions requested by V* and wait for it to 
respond for one of the sessions. When V* sends Vi message for some session, F n> i outputs the 
message of V*. More formally, 

Step 1: F n ,i sets 7 = (x,y,R 2 ) and Msg' = (q^gug* 1 ). F n .j runs V* on (Msg', 1,7). 
Step 2: Let output of V* be (Msg,j,j,£). Now it does case analysis on Msg. 
Step 2a: If Msg = e, set Msg' = (qe,ge,g" e ) and run V* on (Msg',£,j). Go to Step 2. 
Step 2b: If Msg = V\ message of session j, i.e. Msg = (Bj,Xj), F n> i outputs (j,Bj,Xj). 
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Step 2c: If Msg = (End, output), F n> \ outputs (End, output). 

Note that since F n l stops whenever V* sends the V\ message of any session, the only inputs to 
V* are prover's P\ message. 

Now that we have defined F n ±, we define our admissible adversary {C nj i, M ra l , i? n l , aux„} = 
(F nt i, F n> i, e, auXn). Now we describe {C' n 1} M' n ls B' n x , aux„} as follows: By m-KEA, there 
must exist an extractor circuit E n< i which takes a subset of the wires of M ni i as input and 
outputs (j, bj) such that if {g a -° , Bj,Xj) G VH then Bj = g b -° with all but negligible probability. 
Here, without loss of generality, for ease of notation, we have assumed that E n i also outputs 
j along with bj. This can be done by just using output wires of Af n l . Then {C' nl ,M' nl , 
B' nl ,aux n } = (C n ,i UE njl ,M n ^,E njl ,auxn). 

We now describe {C n>i+1 , M n ,i+i, B n<i+1 , aux n } and {C£ ji+1 , M' n>i+1 , B' n i+1 , aux n } recur- 
sively. Informally, {C n ,i+i, M n ,i+i, B n ^+i, aux„} would be a result of polysizc malicious exten- 
sions to {C' n M' n i} B' n i} aux n } using an extension circuit F n ,i+i. Here, F n ^ + i would continue 
the simulation using the output of B' n t . It would start by checking if the last benign extraction 
was successful. If the extraction failed, it outputs SimAbort. Otherwise, it continues simulation 
till the point when V* responds with next V\ message for some session j. Then {C' n M' n 
B' n jij, aux„} would do the benign extraction for session j. 

Admissible Adversary: {C„ M n B n ^ + ]_, aux„} for some i 6 {1, 2, ... , m}. 

Input: (x,y,(q 1 ,g 1 ,g^ 1 ),(q 2 ,g2,g2 2 )' - ■ ■ Alm,g m ,g^)) and (Ri,R 2 ), where x G L, y is the 
auxiliary input of length m and (g,, gi) G Lqq, for all z. i?i is the random tape for O ns i and R 2 
is the random tape for V*. 

Output: (j,Bj,Xj) or (End, output) or SimAbort. 

Description: {C n ,i+i, M n ^+i, B n ^i,aux n } is the result of polysize malicious extension to 
{C' n i , M' n i7 B' n aux„}. Let i^i+i be this malicious extension. It will simulate the interaction 
with V* from the point when V* sends i th V\ message till V* sends one more V\ message for 
some session j. These messages would be simulated with the help of the extractions done by 
the benign part of the circuit B' n i so far. When V* sends V\ message for session j, then F n> i + i 
stops and outputs the message of V*. More formally, F n ^ + i is defined as follows: 

Step 1: If {C' n i , M' n 4 , B' n t , aux„} outputs SimAbort or (End, output), then F n ^ i+1 outputs the 
same. Else find the last output from V* in M n ^. It would be of the form (j,Bj,Xj,-f). 
Set Msg = (j, Bj,Xj) and do the following: 

• If ej(g C j\Bj) 7^ ej(Xj,gj) then add (Abort, j) to Aborted. Set Msg' = (Abort, j) and 
run V* on (Msg',j,~/). Go to Step 2. 

• Find the corresponding output (J,bj) of B' ni . If not found or if Bj ^ g h j , F n ,i+i 
outputs SimAbort. 

• If the extraction was successful, F n ^i knows the discrete log of Bj, and it can 
equivocate in the commitment scheme CorriDz^. Set Zj = CorriDz^ (0, f'j). Run Shv 
on input x to get the view of V for session j, say (CMTj, CHj, RsPj). Set Msg' = 
(CuTj,Zj) and run V* on (Msg',j,j). 

Step 2: Let output of V* be (Msg,j,~f,t) for some j and 7. Now F n ^ + i does case analysis on 
Msg. 

Step 2a: If (Abort, j) G Aborted, Set Msg' = (Abort, j) and next = {Msg', .7,7). 

Step 2b: If Msg = V\ message of session j, i.e. Msg = (Bj,Xj), then F n ,i + i outputs (j, Bj,Xj). 

Step 2c: If Msg = V2 message of session j, i.e. Msg = /3j, then find CHj, RsPj and f'j 

in M' ni U F nj i + \ and set oij = CHj © j3 . Set fj = Open DLj (0, a^, f'j, bj). Set Msg' = 

(a.j , fj , Rsp j ) and next = (Msg' , j, 7). 
Step 2d: If Ms,? = e, then set Msg' = (qt,gi,gf) and next = (Msg',£,j). 
Step 2e: If Msg = (End, output), F nj , + i outputs (End, output). 
Step 3: Run V* on next and go to Step 2. 
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With the above description of F n> i+i complete, we now define {C n ,i+i , M n> i + i , B n ,i+i , aux n } = 
(Cn,i u F n,i+U K,i U F n>i+ i, aux n ). 

Now that we have defined {C^+i, M nj i+i, B ni ,+i, aux„}, we define our admissible adver- 
sary {C ni+1 , M' n i+1 , B' ni+1 , aux„} as follows: By m-KEA, there must exist a circuit E n ,i+\ 
which takes a subset of internal wires of M n> i+i as input and outputs (j,bj) such that if 
(g^ 3 , Bj , Xj) G then Bj = g? with all but negligible probability. Here again, without 
loss of generality, for ease of notation, we assume that E nA+ i also outputs j along with bj. 
This can be done by just using output wires of M nA+ i. Then, we define {C' n M' n 

^n,i+l' aux n} = (C n ,i+1 U E nA+ i, M n:i+ i, B n , i+ i U , aUX„). 

Now that we have defined this sequence of admissible adversaries, we will describe our sim- 
ulator Sv* in terms of these machines. 
Circuit: Sv*- 

Input: (a;, y), where x G L and y G aux„ is the auxiliary input of length m. 
Output: View of V*. 

$ 

Step 1: If V* starts m sessions then Sv* generates (qi,gi) <— Lqc for all i € {1,2, ... ,m}. 
Each qi is of length n. 

Step 2: <Sy* generates ai,02, . .. ,a m uniformly at random such that a.; 6 Z*. and computes 
Ai = g?' for all i. 

Step 3: 6>y* executes the admissible adversary circuit (C njTO _|_i, M„ im +i, B n ^ m+ i) with the in- 
puts (x,y, {qi,gi,gT), (q 2 ,g 2 ,g 2 2 ), ■■■> (qm,g m ,g%r)) and (Ri,R 2 ), where x G L, y is the 
auxiliary input of V* of length m and i?2 is the random tape of V* and R\ are the random 
coins for C n ,m+l ■ 

Step 4a: If (C n , m +i, M„ jTO+ i, -B nim +i) outputs SimAbort then Sv* also outputs SimAbort. 
Step 4b: If (C„ jm +i, M nim +i, -B n ,m+i) runs to completion with output (End, output), then 
Sy outputs output. 

Theorem B.l. If there are m concurrent sessions of H and if our family of admissible adver- 
saries A contains all polynomial size adversaries and allows polysize malicious extensions, then 
under m-KEAand honest verifier zero-knowledge property of (P,V), the following distribution 
ensembles are computationally indistinguishable: 

{S V * (X, y)} m ,xeL,ye{0,l}™ and {(P(X, W),V*(X, y))}m,xeL,w£W L (x),y£{0,l}™ 

Proof: We will prove indistinguishability by a sequence of hybrids. If there are m sessions we 
will consider 3m + 1 hybrids, T~Lq U {^1.1,^^2,^4,3}, for all i G [m]. We will now describe the 
hybrids in detail. We will assume that all the hybrids also have the witness w for the fact x G L. 

• Mo is the honest hybrid. It runs Step 1 and 2 of Sv* and then builds F n \ but does not 
stop on receiving the first response from V* . Instead it uses the witness and interacts 
honestly in all the sessions. Hq = {fn,i, F n! i, e, aux„}. This hybrid is same as the honest 
prover interacting with V* . 

In each of the following hybrids we build on the admissible adversary circuit {C' n i,M' n f , 
B' n i; aux„}. If its malicious part M' n i outputs a tuple, we will call its session number j. 

• 7ii,i runs Step 1 and 2 of Sy and then builds {C' n M' n it B' n i , aux„} with the inputs 
(x,U, (0 , ii5i)fl r i 1 )) (?2,ff2,52 2 )' (9m,5m,ffm m )) and (Ri,R 2 ), where x G L, y is the auxil- 
iary input of V* of length m and R 2 is the random tape of V* and R\ are the random coins 
of {C' n 4 , M' n i , B' n i , aux„}. If {C' n i: M' n 4 , B' n i , aux„} outputs SimAbort, then Hi t i does the 
same. Else find the last output from V* in M nA . It would be of the form (j,Bj,Xj,-f). 
Now, start building polysize malicious extension F nA+ i to {C' n A , M' n A , B' n A , aux„}. F nA+ i 
does the following tests: 

— If . IS, ) 7^ ej(Xj,gj) then add (Abort, j) to Aborted. 

— Find the corresponding output (j, bj) of B' n t . If not found or Bj ^ g? , f^i+i outputs 
SimAbort. 
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If the tests pass, F n ^ + i continues as follows: Among the unaborted sessions, for all the 
sessions I such that £ ^ j and (£,be) lies in the output of B' ni , it uses the extracted 
values to simulate the sessions. For rest of the sessions, it uses the witness to generate the 
messages honestly. Note that though Hi,i has the extracted value for session j, it does not 
use it and acts honestly in that session. Hi,i = (C' n i U F n> i+i, M' n i U F n> i+i, B' n it aux n ). 

• T~ii,2 is same as Hi t i with the following change. It chooses ay <— Z 9 , but sets Zj = 
Com DLjtyr'j). Later while opening it sets fj = Open^^ (0, ay, fj, bj) and opens the com- 
mitment to ay and fj . It generates all other messages of session j honestly. 

The hybrids H^\ and Hi^ are identical because the commitment scheme Covtiol is per- 
fectly hiding and hence, CorriD^O) and Corr)£)£ j (ay) are identically distributed. 

• T~Li,3 does the following change in Hi^- While generating P2 message of session j, it runs 
Shv to get (CmTj, CHj, RsPj). It sends (CuTj, Comuj^fO; f)) as P 2 message. For P 3 
message, it sets ay = /3j©CHj, fj = Open/^ (0, ctj,fj,bj) and sends (ay, fy, RSPj). Hence, 
in Hi.3 all sessions £ such that (£, be) £ output of B' n ■ are simulated and rest all sessions 
are honest. Note that H m .3 is same as the interaction between iSy* and V*. 

Below we will prove the indistinguishability of Hi^ and Hi^. 

First note that the only difference between the hybrids Hi % 3 and is that in 

we add E n i+ i to B' ni . But SimAbort happens in Wi+\ \ and not in 7^ 3 only when V* 

sends correctly formed (B,X) but we fail to extract the correct value in E ni+ i. This 

probability is negligible by m-KEA. Hence, the hybrids Hi^ and are statistically 

close. 

In order to show indistinguishability between Ho and H m ,3-, we are just left with showing 
indistinguishability between T-Li^ and "Hi. 3. We will show this by contradiction. Let us assume 
there is a distinguisher T> which distinguishes between 7^,2 and T-L^s for some i and auxiliary 
input y. Then we will show a distinguisher V for 

{Shv(x)}xcl and {(P(x,w),V(x))} xf z L:W£WL(x y 

This would contradict the honest verifier zero-knowledge property of (P,V). T>' is given a 3- 
round transcript T' = {Cmt, Ch, Rsp} as input for the NP-statement x € L which is either for 
P or Shv f° r the canonical argument system. Using the witness w for x G L, T>' generates an 
input Hi for V which is same as Hi y 3 except for the following change. Instead of running Shv 
for the session j (defined above), it uses {Cmt, Ch, Rsp} for that session. 

If the input to V is from {(P(x, w), V(x))} xe L tWe w L (x)i the input to D is identical to "%i,2- 
This is because since honest verifier's Ch is distributed uniformly in {0, 1}™, ay in Hi will be 
distributed uniformly. On the other hand, if the input of T>' is from {Shv(x)}x£L, the input to 
V is identical to Hi t 3- So, if T> says that Hi is distributed identically to 7^,2, then V says that 
T' is generated by P. Else, it is generated by Shv- 

The success probability of T>' in distinguishing between transcripts of P and Shv is same as 
the success probability of T> in distinguishing Hi t 2 and Hi.3- Hence, T>' distinguishes between 
the following two ensembles with non-negligible probability 

{Shv(x)}x£L and {(P(x, w), V(x))} xeLtWeWL ( x) 

in contradiction to property B3 of the canonical argument system. 

C Size of the Simulator Circuit 

Theorem C.l. Under m-KEA, there exists a constant c such that the size of the circuit of Sv* , 
denoted by \Sv*\, is bounded by n c ■ \V*\ C + poly(n). 

Proof: Let m-KEA hold w.r.t. a family of admissible adversaries A. Then in Section [6J the 
simulator is described by a circuit S = {C„ im +i, M n ,m+i) -Bn,m+i, aux n }. 
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Now, \Sv* \ = |C*i,m+i| + |C|, where C is the circuit which generates (pi,qi,gi) at random 
from Lpqq, generates at at random from Z* and computes for all i £ [m]. There exists a 
fixed constant c\ such that \C\ < n Cl . We are left with computing |C rajm +i|. 

Since, M n . m+ i and B„, m+ i form a partition of C„, m+ i, \C n , m +\\ = |M n , m +i| + \B n , m +i\- 
By construction, B n ^ m +\ = \Si=\Bn,i- By m-KEA, there exists a constant c' > 0, such that 
\E n<i \ < (n-\M n ,i\) c '. So, 

\B n , m +i\ = ET \ E n,i\ < ETi n ■ \ M nA) c ' < n c ' ■ ET \M n , m \ c ' <n c ' -m • |M„, m | c '. 

Using the above, we get |C„, m+ i| < |M„ >m+1 | + n c ' ■ m ■ \M n , m \ c ' < n C2 ■ \M n , m+1 \ C2 for some 
constant c 2 > d . 

M n m+ i calls V* at most 3 • m times, calls Shv a t most m times and generates all other 
messages using a circuit of size at most n° 3 for some constant c 3 . Hence, |M„ iin+1 | < 3m- \ V*\ + 
m ■ \Shv \ + " C3 - We also know that if n is the security parameter then \Shv\ < nCi f° r some 
constant C4 > 0. We get |M„ jm+ i| < 3 • m ■ \V*\ + n C5 . Combining all we get, 

\Sy\ = |C n , m+ i| + |C| < n C2 -|Af„, m+ i| C2 +7i cl < n C2 -(3-m\V*\+n c s) C2 +n cl < n c -\V*\ c +poly(n), 

where c > is a fixed constant. 

D Constant Round Protocol for Concurrent Zero-Knowledge 
using Knowledge of Exponent Assumption in General Groups 

The constant round protocol described below is a concurrent zero-knowledge protocol under 
knowledge of exponent assumption m-KEA in general groups. The assumption is similar to that 
described in Section f3.4[ but now it is assumed to hold w.r.t. general groups of prime order (see 
Assumption ID . 5]) . This protocol is very similar to the previous protocol apart from the following 
change: In the previous protocol, when the verifier replied back with (B,X) on input (g, A), 
the prover checked if B a = X. Here a is the discrete log of A, which is known to the prover. 
In the protocol described in this section, the prover will not do any such check. Instead, the 
verifier will prove in zero- knowledge that indeed there exists a such that B — g b and X = A b 
using a constant round statistically sound zero- knowledge protocol Hzk ■ Such a protocol was 
given by Goldreich and Kahan [GK96] for all of NP, but more efficient such protocols exist for 
proving Diffie-Hellman pairs and can be used (see e.g. }Gol01j and the references therein). 
Wc start by giving a few additional definitions. 

Definition D.l. Let Lpqg denote the set {(p, q, g)} of primes and generators, where p and q 
are primes such that p = 2q + 1 and g is an element of order q'mZ*. 

Definition D.2. Let Hzk be a constant round statistically sound zero-knowledge protocol for 
all NP. We will use the protocol given by Goldreich and Kahan [GK96 . 

Knowledge Assumption: Below, by a circuit C we mean a collection of Boolean gates and 
wires. We use the non-standard convention that certain gates are specially marked as output 
gates. 

Definition D.3 (Admissible family of Adversaries). An admissible family of adversaries A is 
a family of sets such that the following properties hold: Each set S € A is such that S = 
{C„, M n , B n , aux„} n£ N- For each such set S, there exist constants c, d > 0, such that C n is a 

circuit with \C n \ < n c , and aux C {0,1}™ C . Furthermore, {M n ,B n } is a partition of the gates 
and the wires of the circuit C n . If a; is the input to C n then by M n (x) we refer to the result of 
the computation C n (x) restricted to the output wires in M„; we define B n (x) similarly. 

We will refer to M n and B n as the malicious and the benign parts respectively of the 
adversary circuit C n . 
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Definition D.4 (A admits polysize malicious extensions). An admissible family of adversaries 
A admits polysize malicious extensions if the following holds: For any set of circuits S £ A where 
S = {C' n , M n , B n , auXnjfjgN; a- n d any polysize circuit family {i^jngN such that 3d > 0, \F n \ < 
n d and the input wires to F n are a subset of the wires in M n (including both internal and output 
wires) and the output wires of B n , we have that S' = {C n U F n , M n U F n , B n , aux n } G A. 

Next, based on the definition above, we define a variant of knowledge of exponent assumption 
based on the one described by Hada and Tanaka [HT98] . 

Assumption D.5. [m-Knowledge of Exponent Assumption (m-KEA) w.r.t. admissible adver- 
saries] We say that the m-Knowledge of Exponent Assumption holds with respect to a family 
of admissible adversaries A, if for every c > 0, there exists a constant d > such that the 
following holds: For m = n c , fix any 5 = {C n , M n , B n , aux„}„ e N S A. Then there exists a 
family of extraction circuits {E n } ne jq whose inputs are a subset of any wires in M n , such that 
\F n \ < {n ■ \M n \) c . (Informally, this condition requires that the extraction only uses the inter- 
nal wires of the malicious part of the adversary.) Furthermore, we require that the following 
conditions hold: 

1. For all sufficiently large n, every polynomial poly(-), the following is true for all aux 6 
aux n : Consider the following probabilistic experiment: For i e primes Pi,qi and 

generators <7, arc chosen randomly such that (pi,qi,gi) £ Lpqq, where Pi is chosen to 
be of length n. Values a\,...,a m are chosen at random such that a, € Z*. . Finally, 
R is chosen uniformly at random from sufficiently long strings so that the length of the 
tuple x = ((pi, gi^Si 1 ), • • ■ , {p m ,q m , 9m, 9%*), aux, R) is exactly the length of the input 
to circuit C„. If the input to C n is not long enough to allow such an input then the 
assumption is vacuously true for this S. Now, we consider the output of M n (x), which 
we interpret as a tuple (j,B,X), where j £ [to], and both B and X arc in 7L V . Then, we 
interpret the output of E n (x) as the value bj G Z g , and require the following to be true: 
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X = B" j AB^ g h / 
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< 



poly(n) 

(Informally, this condition states that if the malicious part of the adversary outputs a 
tuple so that {g^g^ , B, X) form a Diffie-Hcllman tuple, then the extractor E n successfully 
outputs the discrete log of B with respect to gj.) 

2. We have that (C n UE n , M„, B n UE n , aux„) € A. (Informally, this means that the extraction 
circuit created by this assumption is benign.) 

Definition D.6. An admissible set of adversaries A contains all polysize malicious adversaries 
if for all c, c' > 0, and for all circuit families {C n } ne ^ such that \C n \ < n c , for each n there 

exists some subset aux„ C {0,1}" , such that (C„, C n , e, aux n ) S A. We say that A contains 
all polysize malicious adversaries with all polysize auxiliary inputs if aux„ = {0,1}" for each 
circuit family above. 

Theorem D.7 (Informal). If the m-Knowledge of Exponent assumption holds with respect to 
an admissible adversary family A such that A contains all polysize malicious circuits and allow 
polysize malicious extension, and DHL A holds, then there exist constant-round concurrent zero- 
knowledge arguments for NP in the plain model. 

Furthermore, if A contains all polysize malicious adversaries with all polysize auxiliary in- 
puts, then there exist constant-round concurrent zero-knowledge arguments for NP in the plain 
model with respect to arbitrary auxiliary inputs. 



D.l Protocol Description 

The protocol starts by asking the verifier to use Knowledge Commitment Protocol to commit to 
a value b in B = g b . Then the verifier proves that this commitment is correctly generated using 
IIzk- Following this, we use equivocal commitments whose trapdoor is b to run a coin flipping 
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Here, Pi and Vi denote i th prover and verifier message respectively. 
{P, V) represents the three round canonical argument. 

Prover P Verifier V 

Initial State Sto = (x,w, R) 

(p,q,g) <— Lpqg ;a^Z* ; A <- g a 



D (Pj 9, 9, A) 
f\\ > 



i {B ' X) -M 



If (p, q, g) £ Lpqg then abort 



else 6 <P Z; ; B ^ g b ; X <- A b 



P and V run a constant round zero-knowledge protocol TLzKi 
where V proves to P that 36 such that B = g b and X = A b 
If the above proof not valid, then abort, 

else Let Com^L (defined in Section [2. 3D be the commitment scheme using (g,B). 
(CMT, Sh) «- P(e, Sto) 

$ 

a < Z q ; Z = Com DL (a;f) 



P> 



Cmt, z 



/3 +±- {0,1}™ 



(Rsp,5t 2 ) <- P(CH,Sh) 



-.Vo 



{a, r, RSP) 
P3- > 



If Z CorriDi(a;f) then abort 
CH<-a9/5 

If Ver x .(Cmt,Ch,Rsp) = 1 
then accept else reject. 



Figure 3: II: Constant Round Protocol for cZK, (P, V) 



protocol between the prover and the verifier. In parallel with the coin flipping protocol, we run 
a parallel repetition of Blum's Hamiltonicity protocol, where the result of coin flipping protocol 
determines the challenge message. We describe the constant-Round protocol for concurrent 
zero-knowledge argument in Figure [3J 

This protocol uses the discrete log based commitment scheme Com ol which is binding under 
the hardness of DHL A. The secret value b committed to by the verifier satisfies the following 
properties. 

Rl: For Soundness: Under DHL A (Assumption 13. 1| ) and zero-knowledge property of Hzk, 
any cheating prover while interacting with the honest verifier cannot get the secret coins 
of the verifier. Hence, any cheating prover cannot output the discrete log of B sent by the 
verifier in Figure [2] 

R2: For Zero-knowledge: Under m-KEA (Assumption ID. 5]) . our simulator will be able to 
output the discrete log of B no matter how the verifier behaves. Once the simulator 
gets the secret coins of V*, which is the trapdoor to equivocal commitment scheme, the 
simulation is easy. 

For R2, informally, it seems that even the cheating verifier must start by simply choosing b 
and computing (g b , A b ) in order to pass the check X = B a . That is, we assume that verifier 
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knows the secret coins b whenever it manages to convince the prover in Hzk- m-KEA defined 
in Assumption ID. 51 captures this idea of knowledge and knowledge extraction formally. Under 
this variant of knowledge of exponent assumption, we will design a simulator which will extract 
the secret coins of the cheating verifier. Since, the simulator will have the trapdoor to ComoL, 
it will be able to equivocate on its commitment to a just as before and force the outcome of the 
coin flipping protocol to the challenge string output by the honest verifier simulator Shv- 

D.2 n is Computationally Sound 

We prove soundness of II by the two steps used in proving the soundness of the previous protocol. 
Let Szk be the black-box zero-knowledge simulator for Hzk and P* denote the cheating prover. 

• If P* succeeds in equivocating its commitment in coin flipping protocol then we can extract 
the trapdoor value b of Knowledge Commitment Protocol from P* . This shows that P* 
can be used to efficiently compute b and thereby break DHL A. 

• We show that if P* does not equivocate on its commitment in coin flipping protocol and 
convinces the verifier of a false statement, then such a P* can be used to violate the 
underlying strong soundness of canonical arguments. In other words, it would violate the 
underlying soundness of Blum's Hamiltonicity protocol. 

We prove the first step by a sequence of two lemmas. Let Q be the following interactive game 
similar to that defined in Section [SJ 

1. Sim runs the above protocol with P* (including honest execution of Hzk) till P* commits 
to a using random coins r in the above protocol using commitment scheme ComjjL as 
defined before. P* sets Z = Corri£>£(a; f) and sends Z to Sim. 

2. Sim sends /3 to P*. 

3. P* sends (a\, f\, Rsp) to Sim such that Z = Corri£>£(ai; fi). 

4. Sim rewinds P* to Step 2 and sends it f3' such that (3' ^ (3. P* wins if it sends 
{pt-2, ?2, Rsp) to Sim such that Z = Qom£>i J {a2] and a.\ ^ o^- 

Let Q' be a modified game in which Sim runs Szk to simulate the proof in first step instead 
of using the witness. 

Lemma D.8. Pr[P* wins Q] — Pr[P* wins Q 1 ] is negligible. 

Proof: We will prove this by contradiction. If there is a non-negligible function j(n) such that 
Pr[P* wins Q] — Pr[P* wins Q'\ > 7(71), then we can construct a distinguisher D which breaks 
the ZK-property of Hzk as follows: Let Ch' be the challenger for ZK. D starts the game with 
P* and forwards the messages between P* and Ch' until the end of Hzk- Now D completes 
the remaining game with P*. If P* wins, D claims that Hzk was given with actual witness, 
otherwise D says that Hzk was simulated. It can be shown that success probability of D is 
1/2 + 7(n)/2, which is non-negligible. This is a contradiction since Hzk is a zero-knowledge 
protocol. 

Lemma D.9. Using above, we prove that no cheating prover can win Q with non-negligible 
probability. Under DHL A, for every probabilistic polynomial time machine P* , every polynomial 
poly(-), and all sufficiently large n's, 

Pr\P* wins Q] < ,\ , 

L =7} ^ polyin) 

where probability is over choice of a, ft and coins of P* and n is the security parameter. 

Proof: Wc will prove this by contradiction. If there is a polynomial f(n) such that 
Pr[P*wins Q] > l/f(n), then we can construct an adversary A for DHL A. A runs P* and 
gets (q,g,A) and sends (g, A) to the challenger Ch of DHLA. Ch prepares the challenge tuple 
by choosing a random b and sends (B = g b , X = A b ) to A which it forwards to P*. A runs 
Szk on P* to simulate Hzk- By lemma [D~8| the success probability of P* in winning Q can 
not decrease non-negligibly when given a simulated proof. 
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P* and A continue running the protocol II until the opening of Z as a. After this opening, 
A rewinds P* until the commitment Z and runs P* again with a different /3' and looks at the 
opening of Z by P* . If P* opens Z to the same a, A aborts. Else if P* opens Z to a a' such 
that a 7^ a', A can compute b, the discrete log of B, as described in Section l2~3l A sends b to 

Pr[A breaks DHL A] = Pr[P* wins Q] > 1/ f(n) — e, where e is the negligible change in success 
probability of P* when Hzk is simulated. This contradicts DHL A. 

Theorem D.10. Under Lemma \D.9\ and strong soundness property (B2) of (P, V) , protocol II 
is computationally sound. 

Proof: The proof is same as that of Theorem 15.21 
D.3 Description of the simulator 

To describe the simulator for protocol in Figure [31 we again describe a sequence of adver- 
saries. These adversaries are very similar to the ones described before. There is a change in 
{C„.i + i, M n< i + ±, B n i+ i, aux„} but for the sake of completion, we give the description of all the 
adversaries. 

In the concurrent setting, the verifier may start an unbounded number of sessions with the 
prover and may interleave them in any way he wants. One such individual session has constant 
number of rounds (as shown in Figure [3} . In this section, we will model our cheating verifier 
V* as a next message function with a state 7. 

V*(Msg', k, j')~>(Msg, j, 7 , i) 

where Msg' is the prover's (or simulator's) message from the session k and 7' is the last state of 
V* . In response, V* sends message Msg corresponding to some session j and changes its state 
to 7. Prover (or simulator's) next message would be the next message from the session j. In 
case Msg is e, then the verifier is requesting for the first message of session I. Verifier can also 
output a special message (End, output), which means that V* wants to stop the execution with 
output output. 

To describe our simulator Sy* , we will first describe a sequence of admissible adversaries 

aux n } and {C' n i , M' n A , B' n i , aux„} for all i £ {1, 2, . . . , m + I}. First, we will 
describe these for i = 1 followed by i > 1 recursively using {C n) j_i, M nj ,_i, B n ^_\, aux„} and 
{C n i-u-^n i-i'-^n i-u aux n}- Each of these circuits will maintain and update the set of aborted 
sessions called Aborted. We will assume that the simulator knows the upper bound on m, the 
number of sessions that V* executes. Also, whenever V* stops, our simulator stops with the 
output of V*. 

Admissible adversary: {C„ : \, M ni i, B n< \, aux n }. 

Input: (x,y, (pi, qi, gi, gf 1 ), ...,{p mi <Zmj 9m i <?m")) &rid (Ri, R2) , where x £ L, y is the auxiliary 
input of length m and (pi, qi,gi) £ Lpqg, for all i. Each pi is of length n. 
Output: (j,Bj,Xj) or (End, output). 

Description: We will start building the circuit F n> i as follows: F n> i will simulate the interaction 
with V* until the point when V* sends first V\ message for some session j. Informally, this is 
the point when V* completes the "Knowledge Commitment Protocol" for the first time. So F„ : i 
will keep sending the first message of the sessions requested by V* and wait for it to respond 
for one of the sessions. When V* sends V\ message for some session, F n> i outputs the message 
of V* . More formally, 

Step 1: F n>1 sets 7 = {x 1 y,R 2 ) and Msg' = (p u q u g u g^ 1 ). F nA runs V* on {Msg', 1, 7 ). 
Step 2: Let output of V* be (Msg,j,j,£). Now it does case analysis on Msg. 
Step 2a: If Msg = e, set Msg' = (p e ,qe, ge, g a t l ) and run V* on (Msg',£,j). Go to Step 2. 
Step 2b: If Msg = V\ message of session j, i.e. Msg — (Bj,Xj), F n< \ outputs (j, Bj , Xj). 
Step 2c: If Msg = (End, output), F n ,\ outputs (End, output). 
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Note that since F n i stops whenever V* sends the V\ message of any session, the only inputs to 
V* are prover's Pi message. 

Now that we have defined -F n ,ij w ^ define our admissible adversary {C nj i, M n> i, aux„} = 
(Fn.ij -Fn,i) e > aux„). Now we describe {C^ 1; 1; B' n lt aux n } as follows: By m-KEA, there 
must exist an extractor circuit £Vi,i which takes a subset of the wires of M n> \ as input and 
outputs (j,bj) such that if Xj = B a - 3 then Bj = g- 3 with all but negligible probability. Here, 
without loss of generality, for ease of notation, we have assumed that E n< i also outputs j along 
with bj. This can be done by just using output wires of Af n l . Then {C' n x , M' n 1; B' n x , aux n } = 
(C n ,i U E n< i, M n< i, E n< i, aux„). 

We now describe {C n>i+1 , M n>i+1 , B n>i+1 , aux„} and {C' ni+X , M' ni+X , B' ni+X , aux„} recur- 
sively. Informally, {C„.i_)_i, M n .i + i, B n ^ +X , aux„} would be a result of polysizc malicious exten- 
sions to {C' n i , M' n i; B' n i , aux„} using an extension circuit F^j+i. Here, F n ,i+i would continue 
the simulation using the output of 4 . Whenever ET^if phase of any session completes suc- 
cessfully, it checks if the extraction was successful. If the extraction failed, it outputs SimAbort. 
Otherwise, it continues simulation till the point when V* responds with next V\ message for 
some session j. Then {C' n i+1 , M' ni+X , B' ni+X , aux„} would do the benign extraction for session j. 

Admissible Adversary: {C n> i+i, M n ^ + i, B n ^ + i, aux„} for some i € {1,2, ... , m}. 
Input: (x,y, (pi , gi , 5i , 3i 1 ) , (t>2 , Q2 , 9i , 92 2 )>•••; ipmi Qmi 9mi 9m 1 ')) &nd , R2), where x € L, 
y is the auxiliary input of length m and (pi, qi,9i) € Lpqg, for all i. Each pi is of length n. 
Output: (j,Bj,Xj) or (End, output) or SimAbort. 

Description: {C n> i+i, M n< i+i, B n< i +X , aux n } is the result of polysize malicious extension to 
{C' n i , M' n j, B' n j, aux n }. Let F n< i +X be this malicious extension. It will simulate the interaction 
with V* from the point when V* sends i th V\ message till V* sends one more V\ message for 
some session j. These messages would be simulated with the help of the extractions done by 
the benign part of the circuit B' n i so far. When V* sends V\ message for session j, then F„.;+i 
stops and outputs the message of V*. More formally, F n ^ + i is defined as follows: 

Step 1: If {C' n i , M' n i , B' n i , aux„} outputs SimAbort or (End, output), then F n ^ +X outputs the 
same. Else find the last output from V* in M n> i. It would be of the form (j,Bj,Xj,j). 
B' n i would have attempted to extract the discrete log of Bj . Since the next message in 
Session j is V*'s first message for Hzk, run V* on (e, j, 7). 

Step 2: Let the output of V* be (Msg,j,j,£) for some j and 7. Now F n ,i+i does case analysis 
on Msg. 

Step 2a: If (Abort, j) 6 Aborted, Set Msg' = (Abort, j) and next = (Msg',j,j). 

Step 2b: If Msg = V x message of session j, i.e. Msg = (Bj,Xj), then F ni+ i outputs (j, Bj,Xj). 

Step 2c: If Msg is the last message of Hzk for session j, do the following: 

• If the proof fails, add (Abort, j) to Aborted. Set Msg 1 = (Abort, j) and next = 
(Msg', j',7). 

• Find the corresponding output (j,bj) of B' ni . If not found or if Bj ^ g? , F„.;+i 
outputs SimAbort. 

• If the proof is accepted and there is a valid (j, bj), F n ^ + i knows the discrete log of B } ■, 
and it can equivocate in the commitment scheme Com/}/^. Set Zj = Comr>i Jj (0, f'j). 
Run Shv 011 input x to get the view of V for session j, say (CMTj, CHj, RsPj). Set 
Msg' = (CMTj-, Zj) and next = (Msg',],')). 

Step 2d: If Msg = V2 message of session j, i.e. Msg = f3j, then find Ch.,, RsPj and f'j 
in M' n i U F ni i + i and set ctj = CHj © j3j. Set fj = Open DLj (0, aj, f' ■, bj). Set Msg' = 
(aj,fj,KSFj) and next = (Msg',j,j). 

Step 2e: If Msg = e, then set Msg' = (j>i,qi,gi,g^ 1 ) and next = (Msg' ', 1, 7). 

Step 2f: If Msg = (End, output), F, hi+1 outputs (End, output). 

Step 3: Run V* on next and go to Step 2. 
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With the above description of F n> i+i complete, we now define {C n ,i+i , M n> i + i , B n ,i+i , aux n } = 
(Cn,i u F n,i+U K,i U F n>i+ i, aux n ). 

Now that we have defined {C^+i, M nj i+i, B ni ,+i, aux„}, we define our admissible adver- 
sary {C n i+1 , M' ni+1 , B' ni+1 , aux„} as follows: By m-KEA, there must exist a circuit E n ,i+\ 
which takes a subset of internal wires of M n> i+i as input and outputs (j,bj) such that if 
Xj = Bj } then Bj = g? with all but negligible probability. Here again, without loss of 
generality, for ease of notation, we assume that E n ^+i also outputs j along with bj. This can 
be done by just using output wires of M„ ii+ i. Then, we define {C' n M' n B' n aux„} = 
(Cn,i+i U E 1U i + i, M n> i_)_i, B n ^ + i U aux„). 

Now that we have defined this sequence of admissible adversaries, we will describe our sim- 
ulator Sy in terms of these machines. 
Circuit: Sy ■ 

Input: (a;, y), where x G L and y G aux„ is the auxiliary input of length m. 
Output: View of V*. 

Step 1: If V* starts m sessions then Sy generates (pi, qi, <7,) <— Lpqq for all ie {1,2,..., m}. 

Step 2: <Sy» generates a\,a2, . . . , a m uniformly at random such that at G Z*. and computes 
A; = #?* for all i. 

Step 3: 5y* executes the admissible adversary circuit (C ni m+i, M n ,m+ii B n , m +i) with the in- 
puts (x,y, (pi,qi,gi,gi), (p ra ,gm,Sm,C)) and {Ri,R2), where a; G L, y is the 
auxiliary input of V* of length m and i?2 is the random tape of V* and R± arc the random 
coins for C n>m+ i. 

Step 4a: If (C n , m +i, M„ jm+ i, Bn^+i) outputs SimAbort then 5y* also outputs SimAbort. 

Step 4b: If (C„ iTO +i, M„ im +i, B n , m +i) runs to completion with output (End, output), then 
5v* outputs output. 

Theorem D.ll. If there are m concurrent sessions of II and if our family of admissible ad- 
versaries A contains all polynomial size adversaries and allows polysize malicious extensions, 
then under m-KEA, honest verifier zero-knowledge property of (P, V) and the zero-knowledge 
property of Hzk , the following distribution ensembles are computationally indistinguishable: 

{S V , (X, y)} m ,xeL,y£{0,l} m md {( P ( X > w )i V *i x i y))}rn,x£L,w£W L (x),y€{OS}™ 

Proof: We will prove indistinguishability by a sequence of hybrids. If there are m sessions we 
will consider 3m + 1 hybrids, Hq U {^1.1,^^2,^4,3}, for all i G [m]. We will now describe the 
hybrids in detail. We will assume that all the hybrids also have the witness w for the fact x G L. 

• Ho is the honest hybrid. It runs Step 1 and 2 of Sy* and then builds F n< i but does not 
stop on receiving the first response from V*. Instead it uses the witness and interacts 
honestly in all the sessions. Hq — {F Ui i, F ni i, e, aux„}. This hybrid is same as the honest 
prover interacting with V* . 

In each of the following hybrids wc build on the admissible adversary circuit {C' n M' n j, 
B' n i7 aux„}. If its malicious part M' n i outputs a tuple, we will call its session number j. 

• Hi y i runs Step 1 and 2 of Sy and then builds {C' n i , M' n i: B' n 4 , aux„} with the inputs 
(x,y, (qi,gi,gi), (q2,g2,g¥)> •■-,(q mi g-mi 5m")) and (i?i,i?2), where x G L, y is the auxil- 
iary input of V* of length m and R2 is the random tape of V* and R\ are the random coins 
of {C' n i , M' n i , B' n l , aux„}. If {C' n>i , M' n l , B' n il aux„} outputs SimAbort, then H it i does the 
same. Else find the last output from V* in M n> i. It would be of the form (j, Bj, Xj,j). 
Now, start building polysize malicious extension F n:i+ i to {C' n i ,M' n i ,B' ni ,a\ix n }. F n ^ + \ 
continues as follows: 

— For the first i sessions for which knowledge commitment was completed, whenever 
Hzk completes do the following: If proof is not accepted, it adds (Abort, £) to Aborted. 
If proof is accepted, it finds the corresponding output (£, be) of B' n i . If not found or 
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Bt 7^ gf , Fn,i+i outputs SimAbort. If a valid (£, be) is found and i ^ j, it uses the 
extracted values to simulate the sessions. For £ = j, it acts honestly after Hzk- 

— For rest of the sessions, it uses the witness to generate the messages honestly. 

Note that though T^i has the extracted value for session j, it does not use it and acts 
honestly in that session. Hi,i = {C' n i U F n ,i+i, M' ni U F ni ,+i, B' ni , aux„). 

• %i,2 is same as Hi^i with the following change. It chooses ctj <— "L q , but sets Zj 
Corn - (0; f'j). Later while opening it sets fj = Opener (0, otj,f'j, bj) and opens the com- 
mitment to a.,- and fj . It generates all other messages of session j honestly. 

The hybrids %i and are identical because the commitment scheme Com^. is per- 
fectly hiding and hence, Com^i^O) and ComDL 3 {ctj) are identically distributed. 

• Hi : 3 does the following change in 7^2- While generating P 2 message of session j, it runs 
Shv to get (CmTj, CHj, RsPj). It sends (Cmt,-, Com DLj (0;f'-)) as P 2 message. For P 3 
message, it sets aj = 0j®CHj, fj = OpenoLj (0, atj, fj, bj) and sends (atj,fj, RSP 3 ). Hence, 
in %i t z all sessions I such that (£, be) € output of B' n 4 are simulated and rest all sessions 
are honest. Note that H m ,3 is same as the interaction between Sy and V*. 

Below we will prove the indistinguishability of and T-Li^. 

First note that the only difference between the hybrids T-Li^ and is that in 

we add £7 n ,i+i *° B' n j. But note that SimAbort can happen in and not in Hi,3 for 

the following two reasons: 

— When V* sends (B,X) such that (g° J ,B,X) ^ VT-L and manages to successfully 
complete the Hzk by convincing that it sent a valid tuple. The extraction can fail 
almost always in this case. We prove in Lemma ID. 121 that probability of V* proving 
a wrong statement is negligible by reducing it to the statistical soundness of Hzk- 
Hence, the probability of SimAbort due to this event is also negligible. 

— When V* sends a valid (B,X), yet m-KEA fails to give a successful extraction. But 
by the first property of m-KEA, the probability of this event is negligible in n. 

Since the probability of each of the above events is negligible in n, H-i^, and are 
statistically close. We now state and prove Lemma fD . 1 2 1 followed by indistinguishablity of 
Hi,2 and Hi,3- 

Lemma D.12. Consider Hi+i t i such that Tii^ does not output SimAbort and j as defined in 
Hi + i t \. Then, 

Pr[(g°j 3 ,Bj,Xj) £ T>H /\ Il^it is accepted for session j] is negligible. 

Proof: We will prove this contradiction. If there is a non-negligible function j(n) such that 
Pr[(gj J , Bj, Xj) £ VH /\ Hzk is accepted for session j] > 7(71) in Hi+i,i, then we will con- 
struct an adversary, which will break the stand alone statistical soundness of Hzk by j(n). 
Consider a hybrid H' i+1 1 which is same as with the following change: Internally, 

extracts the secret value of V* for first i+1 sessions (where sessions are ordered according 
to knowledge commitment by V*) and behaves honestly in all other sessions. For each of first 
i + 1 knowledge commitments, it has an extractor circuit obtained from m-KEA. Since Jii.3 does 
not output SimAbort, one of the following holds for each of the first i extractions: 

• The extraction is successful. 

• V* fails to complete Hzk successfully. 

~H' i+ i 1 does not use any of the circuits output by m-KEA. Instead, it runs in super-polynomial 
time to extract the discrete log of Be w.r.t. ge corresponding to first i knowledge commitments 
by V* . This super-polynomial time extraction is always successful. Moreover, if V* fails to 
convince in Hzk for some session, H' i+ i 1 also aborts those sessions. For the sessions in which 
Hi+i acts honestly, 1 also acts honestly. Hence, note that the view of V* is identical in 

and H' i+1 i till V* completes Hzk for session j. 
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Let Vzk be an honest verifier for Hzk, which generates (p,q,g) <— Tpqg and a <— Z*. Now 
consider a hybrid H" + i i which is same as H' i+1 i except for the change that it takes (g, g a ) for the 
j th session from Vzk- Since, Sy was generating these pairs at random and Vzk is honest, the 
view of V* in H' i ' +1 i and H' i+1 1 is indistinguishable. Now, when V* sends (j, Bj,Xj) for session 
j, H'i'+i i forwards it to Vzk- Whenever V* sends some message for Hzk of session j, H" +1 1 for- 
wards it to Vzk and forwards the response of Vzk to V*. Whenever V* convinces H" +1 1 , it also 
succeeds in convincing Vzk- Since, Pr[{g a - 3 ,Bj,Xj) £ VH /\ Hzk is accepted for session j] > 
7(n) for H" +1 1; it breaks the statistical soundness of Hzk by probability "f(n), which is a con- 
tradiction. 

In order to show indistinguishability between Ho and H m ,3, we are just left with showing 
indistinguishability between H^2 and %i,3- We will show this by contradiction. Let us assume 
there is a distinguishcr T> which distinguishes between 7^ i 2 and Hi.3 for some i and auxiliary 
input y. Then we will show a distinguishcr T>' for 

{S H v{x)}x£L and {(F(x, w), V(x))} xeLtWeW ^ x y 

This would contradict the honest verifier zero-knowledge property of (P, V). V is given a 3- 
round transcript T' = {Cmt, Ch, Rsp} as input for the NP-statement x € L which is either for 
P or Shv for the canonical argument system. Using the witness w for x G L, V generates an 
input Hi for T> which is same as Hi^ except for the following change. Instead of running Shv 
for the session j (defined above), it uses {Cmt, Ch, Rsp} for that session. 

If the input to V is from {(P(.t, u>), V(x))} xe L,wew L (x)i the input to T> is identical to Hi,2- 
This is because since honest verifier's Ch is distributed uniformly in {0, 1}™, ctj in Hi will be 
distributed uniformly. On the other hand, if the input of V is from {Siiv(x)}xeL, the input to 
V is identical to Hi^. So, if V says that Hi is distributed identically to Hi ,2, then V says that 
T' is generated by P. Else, it is generated by Shv- 

The success probability of V in distinguishing between transcripts of P and Shv is same as 
the success probability of V in distinguishing Hi t 2 and Hi,3- Hence, V distinguishes between 
the following two ensembles with non-negligible probability 

{S H v(x)}xeL and {(P(x, w), V(x))} xeL ^ weWL[x) 

in contradiction to property B3 of the canonical argument system. 
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